Restrict DCSync Permissions on Service Accounts
Ensure service accounts with SPNs can't simulate domain controller operations.
Plain language
This control is all about making sure certain service accounts in your organisation's computer network don't have too much power. These accounts often need to do specific tasks but if they can pretend to be a domain controller, it could allow someone to steal or change sensitive data. Keeping these permissions in check prevents major security risks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Service accounts configured with an SPN do not have DCSync permissions.
Why it matters
If SPN service accounts have DCSync rights, attackers can replicate AD data, steal credentials and compromise the domain.
Operational notes
Audit SPN service accounts and confirm they lack DCSync/replication rights (Get-ADPermission), removing any found.
Implementation tips
- IT team should review permissions: Go through all service accounts with Service Principal Names (SPNs) and ensure they do not have permissions that allow them to act like a domain controller. Use a directory management tool to list these accounts and adjust permissions where necessary.
- System owner should organise regular reviews: Schedule regular reviews of service account permissions, at least quarterly, to ensure no new permissions have been inappropriately granted. Document these reviews and keep them on file.
- Managers should request training: Arrange for your IT team to receive training on identifying and securing high-risk permissions. Check for local courses or consult the Australian Cyber Security Centre (ACSC) guidelines.
- IT team should set up alerts: Use your network's auditing tools to create alerts for unusual permission changes to service accounts, which might indicate a potential security incident. Test these alerts monthly to ensure they're working properly.
- HR and IT should work together: When an employee leaves, ensure their network permissions, including any for service accounts they may have managed, are promptly reviewed and removed if no longer necessary. Set this as a standard part of the exit process.
Audit / evidence tips
-
Aska permissions audit report: Request the latest detailed report showing permissions for service accounts with SPNs
Goodshows none of these accounts have such permissions
-
Aska review schedule: Request the document outlining the schedule for regular service account reviews
Goodschedule shows reviews happen at least quarterly
-
Asktraining records: Request proof of staff training related to this control
Goodrecord includes recent completion dates and training topics
-
Askalert setup details: Request documentation on alerts set up for detecting unusual permission changes
Goodsetup includes detailed criteria and regular testing
-
Askto see the exit protocol: Request the HR procedure for when employees leave
Goodprotocol clearly integrates IT in the handover process to review and revoke permissions
Cross-framework mappings
How ISM-1933 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-1933 requires an explicit logical access restriction: SPN service accounts must not have DCSync (directory replication) permissions | |
| Annex A 5.18 | ISM-1933 requires removing/avoiding DCSync permissions for SPN-configured service accounts to prevent directory replication abuse | |
| Annex A 8.3 | ISM-1933 requires that service accounts configured with an SPN are not granted DCSync permissions (i.e | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1933 requires that service accounts with SPNs are not granted DCSync permissions, limiting a high-risk privilege that enables domain ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.