Service Accounts are a necessary evil in systems administration. They tend to be shared across members of a team, have access to sensitive data and critical infrastructure. Yet, most companies have minimal safeguards in place for these accounts, and even less policy and procedure in place to govern these accounts. Service accounts don’t need to be a security threat, with a few simple Group Policy Objects and a little planning these can be the most secure accounts in your domain.

In my past life as a consultant, I ran across an unusual exploit that was created when someone added an autorun.inf to the root of the company shared drive. This exploit infected the systems with malware that was easily removed, but it could have been worse. As a result, I have created the following GPO to disable autorun at all of my clients, and is one of the first things I check when I start at a new company.

The settings for the GPO are located under Computer Configuration | Policies | Administrative Templates | Windows Components | AutoPlay Polices. The two settings are:

• Default behavior for AutoRun: Do not execute any autorun commands
• Turn off Autoplay on: All Drives

This policy is not invisible to your users! If your users have become accustomed to autorun working on certain DVDs, or CDs they may think something is wrong with their system. As always, communicate with your users about the changes you are making.