I've got a Windows Server 2022 VM running in Azure, and I'm looking for advice on creating a safe service account for scheduled tasks that need administrative privileges. We're trying to avoid creating a local admin account due to security concerns. The tasks involve running scripts that download and convert data, execute Visual Basic scripts, and export/save files in various formats. Every time we attempt to use least-privilege accounts, something goes wrong, leaving us in a tough spot where we need to modify our processes to make them work. It's frustrating because management's go-to solution is just to create a local admin account with a strong password, which isn't sustainable. I need to figure out how to create an account that functions like a local admin for these tasks but is fundamentally a service account—not a SYSTEM account. Also, I found some info on managed identities, but it seems more focused on Azure-level management rather than the OS-level identity I'm dealing with here. Any suggestions?
2 Answers
Honestly, none of the tasks you listed should require admin privileges. It sounds like the real problem might be with the scripts needing better coding practices. Have your developers look into fixing the underlying issues instead of giving elevated access to the service account.
Elevating privileges just to workaround poor code often leads to bigger security risks and trouble down the line. Little changes like utilizing appropriate API commands can help run your scripts without needing over-privileged accounts.
Creating a true service account that mimics local admin rights but isn’t a full local admin is tricky. A service account per se isn't meant for logging in but commonly used for passing credentials to run background services. You might want to implement Role-Based Access Control (RBAC) to delegate the minimal necessary privileges for your scheduled tasks. Also, bear in mind that for backup solutions like Veeam, a local service account is generally necessary, so that could be part of the solution you’re looking for.
If you’re still running into issues with permissions, consider stripping back the account's rights to focus solely on what’s needed for the task at hand, rather than granting blanket admin rights. That could align better with what you’re aiming to do.
I get what you're saying, but sometimes convincing developers to change their code feels impossible. Every time we've suggested a rewrite to avoid using elevated privileges, they argue that it worked fine before, and getting them on board feels like an uphill battle. It’s frustrating, but that’s just how it goes sometimes!