Potential Security Implications When Sharing Credentials with Background Services

When you share a credential with background services, that credential becomes available to all other administrators for use with Security Controls service components. For example, say Administrator A creates a credential, enables it for sharing with background services and then assigns it to the proxy service. Administrator B is now free to assign that same credential to other service areas of the program.

Therefore:

  • Only enable sharing with background services on those credentials that are needed by Security Controls service components.
  • DO NOT enable sharing with background services on credentials that allow access to secure areas of your organization.

It is recommended that you create a service account to perform background service functions rather than using a domain administrator account.

Security Controls supports Kerberos authentication for background service interaction with various resources in addition to explicitly specified credentials. Granting permissions to the Domain\Machine$ account can be used to provide access to network shares and distribution servers in scenarios where it is not desirable or possible to create a service account.

Further, shared service credentials can be updated at any time. This makes password update maintenance easy.