Restrict DCSync Permissions on Service Accounts
Ensure service accounts with SPNs can't simulate domain controller operations.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Service accounts configured with an SPN do not have DCSync permissions.
Source: ASD Information Security Manual (ISM)
Plain language
This control is all about making sure certain service accounts in your organisation's computer network don't have too much power. These accounts often need to do specific tasks but if they can pretend to be a domain controller, it could allow someone to steal or change sensitive data. Keeping these permissions in check prevents major security risks.
Why it matters
If SPN service accounts have DCSync rights, attackers can replicate AD data, steal credentials and compromise the domain.
Operational notes
Audit SPN service accounts and confirm they lack DCSync/replication rights (Get-ADPermission), removing any found.
Implementation tips
- IT team should review permissions: Go through all service accounts with Service Principal Names (SPNs) and ensure they do not have permissions that allow them to act like a domain controller. Use a directory management tool to list these accounts and adjust permissions where necessary.
- System owner should organise regular reviews: Schedule regular reviews of service account permissions, at least quarterly, to ensure no new permissions have been inappropriately granted. Document these reviews and keep them on file.
- Managers should request training: Arrange for your IT team to receive training on identifying and securing high-risk permissions. Check for local courses or consult the Australian Cyber Security Centre (ACSC) guidelines.
- IT team should set up alerts: Use your network's auditing tools to create alerts for unusual permission changes to service accounts, which might indicate a potential security incident. Test these alerts monthly to ensure they're working properly.
- HR and IT should work together: When an employee leaves, ensure their network permissions, including any for service accounts they may have managed, are promptly reviewed and removed if no longer necessary. Set this as a standard part of the exit process.
Audit / evidence tips
-
Ask: a permissions audit report: Request the latest detailed report showing permissions for service accounts with SPNs
Good: shows none of these accounts have such permissions
-
Ask: a review schedule: Request the document outlining the schedule for regular service account reviews
Good: schedule shows reviews happen at least quarterly
-
Ask: training records: Request proof of staff training related to this control
Good: record includes recent completion dates and training topics
-
Ask: alert setup details: Request documentation on alerts set up for detecting unusual permission changes
Good: setup includes detailed criteria and regular testing
-
Ask: to see the exit protocol: Request the HR procedure for when employees leave
Good: protocol clearly integrates IT in the handover process to review and revoke permissions
Cross-framework mappings
How ISM-1933 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 5.15 | ISM-1933 requires an explicit logical access restriction: SPN service accounts must not have DCSync (directory replication) permissions | |
| Annex A 5.18 | ISM-1933 requires removing/avoiding DCSync permissions for SPN-configured service accounts to prevent directory replication abuse | |
| Annex A 8.3 | ISM-1933 requires that service accounts configured with an SPN are not granted DCSync permissions (i.e | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| E8-RA-ML3.1 | ISM-1933 requires that service accounts with SPNs are not granted DCSync permissions, limiting a high-risk privilege that enables domain ... | |