Q: How can I secure the Active Directory (AD) service accounts so that no one can use them to log on to our network?

A: Logon rights provide an elegant way to prevent users from logging on with accounts that you've created expressly for a service. There are five logon rights, each of which governs whether an account can log on a certain way. You can find these logon rights in the Microsoft Management Console (MMC) Group Policy Object Editor snap-in under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Right Assignments. Windows requires you to have the Access this computer from the network logon right to access anything provided by your server or Microsoft IIS. You need the Log on locally right to log on interactively at the console of a computer and the Allow log on through Terminal Services logon right to log on via an RDP connection. These are the only logon rights a user can directly use. The other two rights, Log on as a batch job and Log on as a service let scheduled tasks and services run under a specified account.

The key to preventing users from logging on with an account that you’ve created specifically for a service is to make sure such accounts don’t have any logon rights other than the Log on as a service right. I recommend creating a group called Service Accounts, then assigning that group the deny version of each logon right. Because deny rights override allow rights, no member of Service Accounts will be able to log on except as a service. The only problem with using deny rights to lock down service accounts is that a service that needs to access other Windows computers on the network under the service’s domain account identity won't be able to. For example, a service on server A that needs to pull files from a shared folder on server B requires the Access this computer from the network logon right on server B to do so.