SPN Configuration for Active Directory Accounts
Only specialised accounts should have SPNs to increase security in Active Directory setups.
Plain language
This control focuses on making sure that only certain special types of accounts in a computer network, called service accounts and computer accounts, have something called Service Principal Names (SPNs). This is important because if too many accounts have SPNs, it opens up ways for attackers to potentially gain unauthorized access to sensitive information or systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Only service accounts and computer accounts are configured with Service Principal Names (SPNs).
Why it matters
Unnecessary SPNs on user accounts increase exposure to Kerberoasting and other Kerberos abuse, enabling credential compromise and lateral movement in AD.
Operational notes
Regularly audit AD for SPNs on non-service/non-computer accounts; remove any unauthorised SPNs and verify required SPNs align to documented services.
Implementation tips
- System administrator: Limit the setting of SPNs to only these service or computer accounts. Use your network management tools to check which accounts currently have SPNs and remove them from regular user accounts.
- IT security manager: Train staff about the importance of SPNs and why only certain accounts should have them. Conduct a short workshop explaining how improper SPN configuration can lead to security issues.
- Network administrator: Set policies to automatically alert when an SPN is added to an inappropriate account. Configure your system to notify you via email or alerts when SPNs are altered without consent.
- IT department: Regularly review and audit existing SPN configurations. Schedule monthly checks to ensure no new SPNs are improperly assigned and document any changes.
Audit / evidence tips
- AskA list of accounts with SPNs: Request the latest report from your system management tool showing accounts with SPNs GoodOnly service and computer accounts are present
- AskTo see SPN assignment policies: Request documentation that outlines who can set SPNs and on which accounts GoodClear rules exist and are enforced
- AskTraining records: Request logs showing who has been trained on SPN configuration recently GoodAll relevant staff trained in the last year with satisfactory content
- AskAn alert log: Request evidence of an alert system for SPN changes GoodA functioning alert system with documented past alerts
- AskAudit records of SPN reviews: Request documentation of the last few SPN reviews GoodRegular audits documented with corrective actions noted
Cross-framework mappings
How ISM-1832 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1832 requires that SPNs are only set on service and computer accounts to reduce unnecessary exposure in Active Directory | |
| Annex A 8.9 | ISM-1832 requires that only service accounts and computer accounts are configured with Service Principal Names (SPNs) in Active Directory | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.