Potential Security Implications When Sharing Credentials with Background Services

When you share a credential with background services, that credential becomes available to all other administrators for use with Security Controls service components. For example, say Administrator A creates a credential, enables it for sharing with background services and then assigns it to the proxy service. Administrator B is now free to assign that same credential to other service areas of the program.

Therefore:

Only enable sharing with background services on those credentials that are needed by Security Controls service components.
DO NOT enable sharing with background services on credentials that allow access to secure areas of your organization.

It is recommended that you create a service account to perform background service functions rather than using a domain administrator account.

Security Controls supports Kerberos authentication for background service interaction with various resources in addition to explicitly specified credentials. Granting permissions to the Domain\Machine$ account can be used to provide access to network shares and distribution servers in scenarios where it is not desirable or possible to create a service account.

Further, shared service credentials can be updated at any time. This makes password update maintenance easy.