Limit Service Accounts with SPNs in Active Directory
Reduce the number of special accounts to improve security in Active Directory.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
The number of service accounts configured with an SPN is minimised.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about reducing the number of special accounts, called service accounts, that have something called a Service Principal Name in Active Directory. By keeping the number of these accounts to a minimum, it helps prevent unauthorised access to important systems. If this isn't done, hackers could exploit these special accounts to access sensitive data and control your systems, which could lead to data breaches and operational disruption.
Why it matters
Too many AD service accounts with SPNs increase Kerberoasting and credential theft risk, enabling lateral movement and broader domain compromise.
Operational notes
Periodically inventory accounts with SPNs, remove unused SPNs, consolidate where possible, and retire unneeded service accounts to minimise attack surface.
Implementation tips
- IT team should identify all existing service accounts in Active Directory. They can do this by running a query in the system to list all accounts that currently have a Service Principal Name associated with them.
- System administrators should review the necessity of each service account. This involves checking if each account is actively used and essential for business operations. Unused or unnecessary accounts should be disabled or deleted.
- IT security officers should confirm that remaining service accounts meet security requirements. This means ensuring these accounts have strong, unique passwords and follow company security protocols. Consider implementing password policies that require regular updates.
- Managers should collaborate with IT to ensure that new service accounts are created only when essential. They review requests for new accounts to ensure they are justifiable and tied to specific business needs.
- The IT team should regularly audit service accounts. This involves setting up a schedule, perhaps quarterly, to check if all existing service accounts with Service Principal Names are still required and verifying compliance with security standards.
Audit / evidence tips
-
Ask: a list of all service accounts with Service Principal Names: Request the latest export or report that shows all such accounts in Active Directory
Good: is a recent document showing a reduced number of service accounts compared to past records
-
Ask: documentation on the review process of service accounts
Good: is a document that outlines a clear procedure with steps followed and roles responsible
-
Ask: evidence of service account deletion or disablement: Request records of actions taken based on the review process
Good: includes logs or change requests showing accounts were removed or disabled and reasons for these actions
-
Ask: security policy documents related to service accounts
Good: includes detailed policies on password complexity and update frequency specific to service accounts
-
Ask: records of recent audits of service accounts: Request audit logs or summaries from the past year
Good: shows proactive management with documented findings and follow-up actions to reduce account numbers
Cross-framework mappings
How ISM-1932 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.18 | ISM-1932 requires minimising the count of AD service accounts with SPNs to reduce unnecessary accounts and authentication exposure | |
| Annex A 8.2 | ISM-1932 requires that organisations minimise the number of Active Directory service accounts configured with Service Principal Names (SP... | |
| Supports (1) | ||
| Annex A 5.16 | ISM-1932 requires organisations to minimise the number of AD service accounts configured with SPNs, reducing proliferation of long-lived ... | |