Limit Service Accounts with SPNs in Active Directory
Reduce the number of special accounts to improve security in Active Directory.
Plain language
This control is about reducing the number of special accounts, called service accounts, that have something called a Service Principal Name in Active Directory. By keeping the number of these accounts to a minimum, it helps prevent unauthorised access to important systems. If this isn't done, hackers could exploit these special accounts to access sensitive data and control your systems, which could lead to data breaches and operational disruption.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The number of service accounts configured with an SPN is minimised.
Why it matters
Too many AD service accounts with SPNs increase Kerberoasting and credential theft risk, enabling lateral movement and broader domain compromise.
Operational notes
Periodically inventory accounts with SPNs, remove unused SPNs, consolidate where possible, and retire unneeded service accounts to minimise attack surface.
Implementation tips
- IT team should identify all existing service accounts in Active Directory. They can do this by running a query in the system to list all accounts that currently have a Service Principal Name associated with them.
- System administrators should review the necessity of each service account. This involves checking if each account is actively used and essential for business operations. Unused or unnecessary accounts should be disabled or deleted.
- IT security officers should confirm that remaining service accounts meet security requirements. This means ensuring these accounts have strong, unique passwords and follow company security protocols. Consider implementing password policies that require regular updates.
- Managers should collaborate with IT to ensure that new service accounts are created only when essential. They review requests for new accounts to ensure they are justifiable and tied to specific business needs.
- The IT team should regularly audit service accounts. This involves setting up a schedule, perhaps quarterly, to check if all existing service accounts with Service Principal Names are still required and verifying compliance with security standards.
Audit / evidence tips
-
Aska list of all service accounts with Service Principal Names: Request the latest export or report that shows all such accounts in Active Directory
Goodis a recent document showing a reduced number of service accounts compared to past records
-
Askdocumentation on the review process of service accounts
Goodis a document that outlines a clear procedure with steps followed and roles responsible
-
Askevidence of service account deletion or disablement: Request records of actions taken based on the review process
Goodincludes logs or change requests showing accounts were removed or disabled and reasons for these actions
-
Asksecurity policy documents related to service accounts
Goodincludes detailed policies on password complexity and update frequency specific to service accounts
-
Askrecords of recent audits of service accounts: Request audit logs or summaries from the past year
Goodshows proactive management with documented findings and follow-up actions to reduce account numbers
Cross-framework mappings
How ISM-1932 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-1932 requires minimising the count of AD service accounts with SPNs to reduce unnecessary accounts and authentication exposure | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed to reduce the risk of misuse or compromise | |
| handshake Supports (1) expand_less | ||
| Annex A 5.16 | ISM-1932 requires organisations to minimise the number of AD service accounts configured with SPNs, reducing proliferation of long-lived ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.