Service account protection and AD attack paths: are your controls ready?

TL;DR: Compromised service accounts sit at the centre of destructive breaches, with Semperis citing the Merck NotPetya case where initial access came through a patching account and damages exceeded $1.4 billion. The lesson is that static passwords, excessive privilege, and forgotten identities turn routine machine accounts into durable breach paths.

NHIMG editorial — based on content published by Semperis: Why is securing service accounts essential for reducing breach risk?

Questions worth separating out

Q: How should security teams govern service accounts with standing privilege?

A: Treat them as governed identities with owners, scope, and lifecycle states, not as technical leftovers.

Q: Why do forgotten service accounts increase breach risk?

A: Forgotten accounts are risky because no one knows who owns them, what they do, or whether their access is still justified.

Q: What breaks when service account monitoring is only periodic?

A: Periodic review misses the period when attackers can exploit changes, because service accounts often move from normal to risky state faster than a quarterly or monthly control can see.

Practitioner guidance

• Assign owners to every service account Create a named business and technical owner for each account, including an escalation path for orphaned identities.
• Reduce standing privilege on machine identities Review each account's permissions against actual workload needs and remove any access that is not required for the current application state.
• Build continuous discovery into identity operations Use ongoing discovery and object grouping to surface unknown, stale, and misconfigured service accounts before they become hidden entry points.

What's in the full article

Semperis's full article covers the operational detail this post intentionally leaves for the source:

• How Directory Services Protector discovers unknown and misplaced service accounts in live environments
• How automated undo and disablement actions can be configured for specific anomalous behaviours
• How object lists can be imported from AD or external systems to improve monitoring scope
• How attack path analysis is used to trace relationships between principals, permissions, and high-value assets

👉 Read Semperis's analysis of service account protection and AD attack paths →

Service account protection and AD attack paths: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →