We would like to install various Windows software (.exe) using SCCM but have noticed that SCCM uses a domain admin account when pushing executables. Thus, we are concerned that the account's password hashes and Windows Access Tokens will be left-over on all of our servers and workstations after the installation process - which could obviously be stolen and used to compromise our entire network using pass-the-hash or token impersonation.
What is the safest way to push Windows executables across our network using SCCM without the risks outlined above? If you would be kind enough to provide us with a methodology and process in bullet point format along with URLs to additional instructional content to help us that would be much appreciated.
Thank you in advance.
F0n.