I'm working in a team with 10 developers. We have servers set up which performs backup, automated build of software, automated deployment and more. Some of these servers contains sensentive material, such as login details to production systems (which is required for automated deployment).
We want to limit who has access to these machines to reduce the risk of passwords leaking out accidentally. To do this, we created a group in Active Directory containing 4 persons who are allowed to access the servers containing the sensitive material and made sure that only these 4 users could log on.
Some of these servers run scheduled tasks and Windows services to perform backup/deployment. These tasks/services run under a specific "shared" user account, let's call it "buildacc". The reason for this is that the tasks require access to shared resources in the network to be able to perform build/deployment. So we gave this user access to the servers as well.
To be able to modify the scheduled tasks in Windows, all 4 developers needs to have access to this "buildacc" account, which means that they all have to know the shared password and inform eachother when it's changed which we don't like the idea of.
We've considered using personal accounts to run scheduled tasks such as the script for building. The downside we see is that any member in the team can change the build script and make it do new things under the user account who configured the actual scheduled task.
Is there any best practices on how to handle this situation?
Best Answer
Assuming you are using a Windows 2008R2 system and a 2008R2 AD, you can use a managed service account for this.
This technet blog entry has a pretty good summary of how to use managed service accounts but, here are the basic principles:
A managed service account is an AD account that is strongly tied to a computer and that has an automatically managed password. You don't create the password and nobody needs to know about it but since it's an AD account, you can use it for network ACLs which makes it perfect for your scenario.
Using a MSA for a scheduled task will, however, require you to use the command-line to create your tasks (see this and this thread for more details).