About this program
Service accounts get over-privileged and never rotated — quick health check on inventory, scoping and credential rotation.
Risks addressed
- Critical Over-privileged service account abused for lateral movement
- High Stale service accounts not deprovisioned when systems retire
- Critical Service account credentials hardcoded in scripts / repos
Controls (6)
-
Inventory of all service accounts
HighInventory of all service accounts
How to test + evidence
Testing procedure: Request the service-account register; reconcile with IdP groups and CMDB.
Evidence to collect: Service-account inventory CSV.
-
Least-privilege scoping for each service account
CriticalLeast-privilege scoping for each service account
How to test + evidence
Testing procedure: Sample 5 accounts; verify each has only the rights it actually needs.
Evidence to collect: Role assignment dump.
-
Credentials vaulted (no hardcoded secrets)
CriticalCredentials vaulted (no hardcoded secrets)
How to test + evidence
Testing procedure: Search repositories + config stores for service-account secrets. Confirm PAM coverage.
Evidence to collect: Secret-scan report + PAM coverage.
-
Automatic rotation enabled
HighAutomatic rotation enabled
How to test + evidence
Testing procedure: Verify passwords / keys rotate on a documented cadence.
Evidence to collect: PAM rotation log.
-
No interactive logon to service accounts
HighNo interactive logon to service accounts
How to test + evidence
Testing procedure: GPO / IdP policy blocks interactive logon for service accounts.
Evidence to collect: Policy export.
-
Disable / decommission stale accounts
MediumDisable / decommission stale accounts
How to test + evidence
Testing procedure: Accounts inactive for >90 days are flagged and disabled.
Evidence to collect: Inactivity report.