0

I've noticed that people don't use a user account for a specific task;

I keep thinking the concept is called a "service account"

But it causes a lot of issues surrounding security; for instance one should not use their general administrator account to browse the web, access email, and access a database for instance; because if the account becomes compromised by clicking on a nefarious link, they may end up compromising data.

So a better approach is to use a "service account" that is only used for accessing a database perhaps from another account or scheduled task / chron job.

But I'm still unsure if the terminology to describe this concept is "service account" or if it's something else like "dedicated account".

I know Linux handles this very well, as there are for instance www, apache, and nginx accounts / groups that are created to run these services.

Improve this question
1

1 Answer 1

Reset to default
2

There's no one term for this. The nomenclature changes depending on the system and context. Language that you'd use in normal conversation may have dramatically different connotations in the context of a threat modelling framework.

More generally, single-purpose accounts fall under the principle of least privilege (PoLP), and the practice may also be referred to as "role separation". These concepts are part of the broader language of threat modelling.

The term "service account" has different meanings on different platforms. For example, on Linux, the term is commonly used to refer to an account that a service runs as (e.g. Apache running under the www user), whereas on Windows "service account" is more commonly used to refer to the anonymous unique SID that a Local Service or Network Service process is provided with. There are also built-in service accounts on Windows, such as SYSTEM and TrustedInstaller, which each have their own security properties and use-cases.

In embedded systems the term "service account" usually refers to a built-in account that can be used by a service engineer to log into the system (arguably a backdoor) - an entirely different concept to what I described above.

In the context of systems administration, you'd more likely use the term "separate admin account" or "dedicated account" to refer to a high-privilege account utilised for tasks that require a specific level or type of access, e.g. a sysadmin using a normal low-privilege account for day-to-day work (emails, writing documents, etc.), and/or separate users with remote login privileges on individual servers, rather than utilising a single domain admin account for all their work.

Improve this answer
2
  • +1. Technically on Windows the term "service account" has a specific meaning very close in practice to how it's used on Linux - a "user" that can only be logged into by a non-interactive Windows Service, and usually (but not always) is unique to that one service and has very limited privileges (docs.microsoft.com/en-us/windows/security/identity-protection/…, though for some reason they pretend it's specific to Windows Server SKUs) - but as you say the nomenclature is all over the place.
    – CBHacking
    Commented Feb 16, 2022 at 21:55
  • @CBHacking It also doesn't help that the terminology has slightly different meanings depending on whether you're talking about transparently created local service SIDs or managed service accounts for things like SQL Server in a domain environment. But I really don't want to spend five hours writing an answer that covers all that :P
    – Polynomial
    Commented Feb 16, 2022 at 22:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .