Different Types of IT User Accounts

Guide: Different Types of IT User Accounts

Overview

Depending on your role within the university, you may be privileged to have multiple types of university accounts. All users who have an account(s) are required to complete the Information Security Awareness training within 60 days of hire and every two years after that. 

Three of the main types of university access accounts include:

  1. Elevated Access (EA) Account: are used by system administrators to manage and maintain IT infrastructure. This includes tasks like installing and configuring software, managing servers, and troubleshooting issues. Elevated Access accounts are used to manage user permissions and access to resources. This includes creating and modifying user accounts, assigning roles, and setting access levels for different resources.
  2. Service Account: are used for automated tasks and scheduled jobs, such as backups, updates, and maintenance tasks. These accounts can run scripts and processes without requiring human intervention. Service accounts are used to run applications and services with specific permissions. This ensures that the services have the necessary access to perform their tasks without granting excessive permissions.
  3. Regular Account: are used for doing your day-to-day tasks such as email, using the Internet, Microsoft 365 applications, etc. Day-to-day tasks create a lot of risk to Regular Account credentials (phishing, malware, etc.), so you must not use your normal credentials for any admin-level tasks.

 

When to Use Each Account

You must only use the necessary account for the corresponding action to ensure security protocols are met. Your Regular Account must be used for all normal, everyday business use (email, internet usage, etc.). You must not be logged into any of the other access accounts while you are doing day-to-day work and are not utilizing them for a specific task. Conversely, if you are doing any admin-level tasks, you must use an EA or Service account as appropriate. This is because everyday use creates risk with the Regular Account credentials (phishing, smishing, malware, etc.).  Anytime you connect to any server you should use your EA account. 

Specific use cases:

  • Elevated Access (EA) Account: used for setting up hardware and software.
  • Service Account: used for scheduling jobs and very specific automated tasks. These are the ONLY purposes to use a Service Account and it must NOT have Elevated Access. 
  • Regular Account: used for day-to-day university activities such as email, searching the Internet, Microsoft 365 applications, etc. 

 

Definitions Related to Service Accounts

Service Account in Windows Active Directory is a user account specifically created to run a particular service or application. These accounts provide a security context for services running on a server, enabling them to access both local and network resources. When applications requiring service accounts are installed, these accounts are granted the necessary rights and security permissions. Notably, service accounts do not contain personal data such as files in OneDrive, Microsoft Teams, enterprise storage, or mailboxes/calendars.

Following are three main types of accounts tailored to specific needs and usage scenarios while maintaining security standards:

Standard Service Account:  “Run as” to a specific network/application/device for tasks or duties to be performed (i.e. scripts, SQL, etc.). 

  • One service account per service or device (printer/freezer/etc.) 
  • No shared use. 
  • 35 characters password and all the other standard password requirements apply. 
  • Passwords do not automatically expire, but are required to change every 24 months.  
  • Not a user account, not for daily use.  
  • No interactive log-ons allowed. 
  • No VPN Access. 
  • Elevated rights of permissions can be assigned. 
  • The same password must not be used on more than one account. 
  • No shared account credentials. 

Non-Standard Service Account: Same as a standard service account, but with a shorter password length due to specific system requirements.  

  • 16-35 characters passwords and all the other standard password requirements apply. 
  • One service account per service or device (printer/freezer/etc.) No shared use. 
  • Passwords do not automatically expire, but are required to change every 24 months.  
  • Not a user account, not for daily use.  
  • No interactive log-ons allowed. 
  • No VPN Access. 
  • The same password must not be used on more than one account. 
  • Elevated rights of permissions can be assigned. 
  • No shared account credentials. 

Shared Account: A classroom or designated environment that has shared equipment with single user account/credentials attached. 

  • Used to access shared systems in a very limited capacity. 
  • No admin rights or elevated permissions. 
  • No VPN Access. 
  • Password automatically expires and are required to be changed every 180 days AND when someone who has access to the password leaves the university or changes job roles. 
  • Standard password strength and complexity (16 characters/numbers/special characters and no reuse of previous passwords, etc.).
  • Interactive log-ons allowed.  
  • The same password must not be used on more than one account. 
  • Equipment must be physically locked down in the work environment or able to geo-locate and remote manage. 

Service Account Owner is the person responsible for the managing the account including requesting the service account be created and removed, managing the password and password changes, and ensuring the account has access only to the essential things it needs to perform its functions. 

Service Account Customer is a CU Anschutz or CU Denver employee who has a business need for a service account but does not have an IT administrator role.

Provisioning refers to the process of creating and managing user service accounts. 

An IT Administrator is the designated person outside of Information Strategy and Services (ISS) responsible for technology in their business area.

An Interactive login refers to a login approach where a user engages directly with the computer system through a user interface, such as by a graphical user interface (GUI) or a command line interface (CLI).

 

Account Protection Best Practices

Protecting and securing your account from malicious actors is the first line of defense for protecting university data. Follow these best practice protective measures to increase account security. 

Password Composition: New university password requirements for all Regular Accounts need all faculty, staff and students to create account passwords that are 16 characters long, both lowercase and uppercase letters, a special character, and a number. We suggest using a passphrase. Passphrases are easier to remember and can easily create a longer password.

  • Regular Accounts must have a minimum 16 character password.
  • EA and Service Accounts must have a minimum 35 character password.

Do Not Share Account Information: To maintain security, never share your account password with anyone. The Service Desk will never ask for your password or passphrase and neither will anyone else. 

Do Not Share Accounts: All accounts must be used by a single user. For group accounts, such as a shared email, it must be created as a shared inbox where each user logs in using their own university credentials. No accounts should use a single password for multiple users.

 

Why Account Protection and Use Matters

Using different account access types for specific tasks and using those accounts correctly for the appropriate corresponding task is essential to information security. When the wrong access account is used for a task, it can increase the opportunity for that account to be compromised and incorrect reporting.

More Access = More Risk:

When an account with elevated access levels is compromised, malicious actors will use that account to infiltrate the university system and gain access to high level and secure data. Because accounts with elevated access levels open more doors, malicious actors will try brute force tactics to compromise one of these accounts, putting these accounts at a higher risk.

Accurate Account = Accurate Reports:

Using the correct access account to complete the appropriate corresponding task will allow for proper logging and identification of tasks performed. Having accurate reporting not only helps data collection, but it can help identify a security breach if a task was performed that wasn't supposed to be. 

If You Have an Account You Do Not Use:

It is important to contact the Service Desk if you have an EA or Service Account and do not need it, or if you had one of these accounts and your job responsibilities have changed and you're unsure if you still have one. This will ensure that the account will be deleted in a timely manner and will not be susceptible to attackers who are trying to get information, money, etc. out of our environment. 

 

Service Account Standards

Service account owners must adhere to best practices when using a service account. This acknowledgement is obtained during the service account request process. Users will be prompted to acknowledge the following best practices:

  • You agree to assign the least amount of privilege necessary for the task and limit service account privileges to minimize the risk of service account abuses.
  • You agree to avoid using default service accounts and will use a dedicated service account for each task or application.
  • You agree to follow the defined naming and documentation conventions.
  • You agree to report any unused or retired service accounts for official deactivation.
  • You agree not to embed sensitive information or terms in the email address of a service account.

Potential Abuses of Service Accounts

Although service accounts are valuable tools, they can be susceptible to various forms of abuse:

  • Privilege Escalation: A malicious actor might gain unauthorized access to resources by impersonating the service account.
  • Spoofing: A malicious actor might use service account impersonation to hide their identity.
  • Non-repudiation: A malicious actor might conceal their identity and actions by using a service account, making it difficult to trace these actions back to them.
  • Information Disclosure: A malicious actor might gather information about your infrastructure, applications, or processes from the existence of certain service accounts.

Improper Use of Service Accounts

Improper use or management of IT service accounts can lead to significant security risks and operational issues:

  • Excessive Privileges: Granting service accounts more privileges than necessary can expose critical systems to potential attacks.
  • Weak Passwords: Using weak or default passwords for service accounts makes them easy targets for hackers.
  • Password Sharing: Sharing service account credentials among multiple users increases the risk of misuse and complicates accountability.
  • Hardcoding Credentials: Storing service account credentials in scripts or code can expose them to unauthorized access.

Proper management involves implementing strict access controls, regular monitoring, and periodic audits to ensure service accounts are used securely and efficiently.

 

Frequently Asked Questions:

What is the password complexity and password change requirements for service accounts?