I plan on creating a domain user account that will be able to log on as a service, but have only the minimum requirements for this service to function. of course this could be misconfigured, but assuming I don't add a user that has too many privileges are there an inherent security risk involved?
I couldn't find an article about this after doing some googling. If there is an article that someone could link me to, I'd appreciate it.
Thanks.
The user will have access to anything that the Everyone and Users groups have access to, which means it's similar to a guest account. Everything outside user directories and system directories will be readable by default, though some system directories are readable too.
Assuming you appropriately configure the user, there should be minimal risk. However, it is certainly advisable to configure auditing for that user, via local or group policy, in order to ensure that any misuse is logged, so that you can take measures to stop that misuse and make changes to prevent it in future.
This should give you a reasonable standing from a security perspective. That being said, this is actually one of the few areas that I feel the Windows security model is lacking in - i.e. single purpose users that don't automatically have access to anything but a specific set of directories.
