Update service-accounts-govern-on-premises.md

v-edmckillop · web-flow · commit 593cab7ead91 · 2023-02-07T15:08:20.000-08:00
diff --git a/articles/active-directory/fundamentals/service-accounts-govern-on-premises.md b/articles/active-directory/fundamentals/service-accounts-govern-on-premises.md
@@ -42,115 +42,113 @@ When you create service accounts, consider the information in the following tabl
 | Principle| Consideration | 
 | - |- | 
 | Service account mapping| Connect the service account to a service, application, or script |
-| Ownership| Ensure there's an owner who requests and assumes account responsibility |
+| Ownership| Ensure there's an account owner who requests and assumes responsibility |
 | Scope| Define the scope, and anticipate usage duration|
 | Purpose| Create service accounts for one purpose |
 | Permissions | Apply the principle of least permission. To do so:<li>Don't assign permissions to built-in groups, such as administrators<li>Remove local machine permissions, where feasible<li>Tailor access, and use AD delegation for directory access<li>Use granular access permissions<li>Set account expiration and location restrictions on user-based service accounts |
 | Monitor and audit use| Monitor sign-in data, and ensure it matches the intended usage. Set alerts for anomalous usage. |
 
 ### User account restrictions
 
-For user accounts that are used as service accounts, apply the following settings:
+For user accounts used as service accounts, apply the following settings:
 
-* [**Account expiration**](/powershell/module/activedirectory/set-adaccountexpiration?view=winserver2012-ps&preserve-view=true): Set the service account to automatically expire at a set time after its review period, unless you've determined that the account should continue.
-
-*  **LogonWorkstations**: Restrict permissions where the service account can sign in. If it runs locally on a machine and accesses only resources on that machine, restrict it from signing in anywhere else.
-
-* [**Cannot change password**](/powershell/module/activedirectory/set-aduser): Prevent the service account from changing its own password by setting the parameter to true.
+* Account expiration - set the service account to automatically expire, after its review period, unless the account can continue
+* LogonWorkstations - restrict service account sign-in permissions
+  * If it runs locally and accesses resources on the machine, restrict it from signing in elsewhere
+* Cannot change password - set the parameter to **true** to prevent the service account from changing its own password
  
-## Build a lifecycle management process
-
-To help maintain the security of your service accounts, you must manage them from the time you identify the need until they're decommissioned. 
+## Lifecycle management process
 
-For lifecycle management of service accounts, use the following process:
+To help maintain service account security, manage them from inception to decommission. Use the following process:
 
-1. Collect usage information for the account.
-1. Move the service account and app to the configuration management database (CMDB).
-1. Perform risk assessment or a formal review.
-1. Create the service account and apply restrictions.
-1. Schedule and perform recurring reviews. Adjust permissions and scopes as necessary.
-1. Deprovision the account when appropriate.
+1. Collect account usage information.
+2. Move the service account and app to the configuration management database (CMDB).
+3. Perform risk assessment or a formal review.
+4. Create the service account and apply restrictions.
+5. Schedule and perform recurring reviews. 
+6. Adjust permissions and scopes as needed.
+7. Deprovision the account.
 
-### Collect usage information for the service account
+### Collect service account usage information
 
-Collect relevant business information for each service account. The following table lists the minimum amount of information to collect, but you should collect everything that's necessary to make the business case for each account's existence.
+Collect relevant information for each service account. The following table lists the minimum information to collect. Obtain what's needed to validate each account.
 
 | Data| Description |
 | - | - |
-| Owner| The user or group that's accountable for the service account |
+| Owner| The user or group accountable for the service account |
 | Purpose| The purpose of the service account |
-| Permissions (scopes)| The expected set of permissions |
-| CMDB links| The cross-link service account with the target script or application and owners |
-| Risk| The risk and business impact scoring, based on the security risk assessment |
-| Lifetime| The anticipated maximum lifetime for enabling the scheduling of account expiration or recertification |
-| | |
+| Permissions (scopes)| The expected permissions |
+| CMDB links| The cross-link service account with the target script or application, and owners |
+| Risk| The risk and business impact score, based on a security risk assessment |
+| Lifetime| The anticipated maximum lifetime to schedule account expiration or recertification |
 
-Ideally, you want to make the request for an account self-service, and require the relevant information. The owner can be an application or business owner, an IT member, or an infrastructure owner. By using a tool such as Microsoft Forms for this request and associated information, you'll make it easier to port it to your CMDB inventory tool if the account is approved.
+Make the account request self-service, and require the relevant information. The owner is an application or business owner, an IT team member, or an infrastructure owner. You can use Microsoft Forms for requests and associated information. If the account is approved, use Microsoft Forms to port it to a configuration management databases (CMDB) inventory tool.
 
-### Onboard service account to CMDB
+### Service accounts and CMDB
 
-Store the collected information in a CMDB-type application. In addition to the business information, include all dependencies on other infrastructure, apps, and processes.  This central repository makes it easier to:
+Store the collected information in a CMDB application. Include dependencies on infrastructure, apps, and processes. Use this central repository to:
 
-* Assess risk.  
-* Configure the service account with the required restrictions.  
-* Understand any relevant functional and security dependencies.  
-* Conduct regular reviews for security and continued need.  
-* Contact the owners for reviewing, retiring, and changing the service account.
+* Assess risk
+* Configure the service account with restrictions
+* Ascertain functional and security dependencies
+* Conduct regular reviews for security and continued need
+* Contact the owner to review, retire, and change the service account
 
-Consider a service account that's used to run a website and has permissions to connect to one or more Human Resources (HR) SQL databases. The information stored in your CMDB for the service account, including example descriptions, is listed in the following table:
+#### Example HR scenario
+ 
+An example is a service account that runs a website with permissions to connect to Human Resources SQL databases. The information in the service account CMDB, including examples, is in the following table:
 
-|Data | Example description|
+|Data | Example|
 | - | - |
-| Owner, Deputy| John Bloom, Anna Mayers |
-| Purpose| Run the HR webpage and connect to HR databases. Can impersonate end users when accessing databases. |
-| Permissions, scopes| HR-WEBServer: sign in locally; run web page<br>HR-SQL1: sign in locally; read permissions on all HR databases<br>HR-SQL2: sign in locally; read permissions on Salary database only |
-| Cost Center| 883944 |
-| Risk Assessed| Medium; Business Impact: Medium; private information; Medium |
-| Account Restrictions| Log on to: only aforementioned servers; Cannot change password; MBI-Password Policy; |
+| Owner, Deputy| Name, Name |
+| Purpose| Run the HR webpage and connect to HR databases. Impersonate end users when accessing databases. |
+| Permissions, scopes| HR-WEBServer: sign in locally; run web page<br>HR-SQL1: sign in locally; read permissions on HR databases<br>HR-SQL2: sign in locally; read permissions on Salary database only |
+| Cost center| 123456 |
+| Risk assessed| Medium; Business Impact: Medium; private information; Medium |
+| Account restrictions| Log on to: only aforementioned servers; Cannot change password; MBI-Password Policy; |
 | Lifetime| Unrestricted |
-| Review Cycle| Biannually (by owner, by security team, by privacy) |
-| | |
-
-### Perform a risk assessment or formal review of service account usage
+| Review cycle| Biannually: By owner, security team, or privacy team |
 
-Suppose your account is compromised by an unauthorized source. Assess the risks the account might pose to its associated application or service and to your infrastructure. Consider both direct and indirect risks. 
+### Service account risk assessments or formal reviews
 
-* What would an unauthorized user gain direct access to?  
-* What other information or systems can the service account access?  
-* Can the account be used to grant additional permissions?  
-* How will you know when the permissions change?
+If your account is compromised by an unauthorized source, assess the risks to associated applications, services, and infrastructure. Consider direct and indirect risks:
 
-After you've conducted and documented the risk assessment, you might find that the risks have an impact on:
+* Resources an unauthorized user gains access to
+  * Other information or systems the service account can access
+* Permissions the the account can grant   
+  * Indications or signals when permissions change
 
-* Account restrictions.  
-* Account lifetime.  
-* Account review requirements (cadence and reviewers).
+After the risk assessment, documentation likely shows that risks affect account: 
+ 
+* Restrictions
+* Lifetime
+* Review requirements
+  * Cadence and reviewers
 
 ### Create a service account and apply account restrictions
 
-Create a service account only after you've completed the risk assessment and documented the relevant information in your CMDB. Align the account restrictions with the risk assessment. Consider the following restrictions when they're relevant to your assessment:
-
-* For all user accounts that you use as service accounts, define a realistic, definite end date. Set the date by using the **Account Expires** flag. For more information, see [Set-ADAccountExpiration](/powershell/module/activedirectory/set-adaccountexpiration). 
-
-* Login to the [LogonWorkstation](/powershell/module/activedirectory/set-aduser).
-
-* [Password Policy](../../active-directory-domain-services/password-policy.md) requirements.
-
-* Account creation in an [organizational unit location](/windows-server/identity/ad-ds/plan/delegating-administration-of-account-ous-and-resource-ous) that ensures management only for allowed users.
-
-* Setting up and collecting auditing [that detects changes](/windows/security/threat-protection/auditing/audit-directory-service-changes) to the service account, and [service account use](https://www.manageengine.com/products/active-directory-audit/how-to/audit-kerberos-authentication-events.html).
-
-When you're ready to put the service account into production, grant access to it more securely. 
-
-### Schedule regular reviews of service accounts
-
-Set up regular reviews of service accounts that are classified as medium and high risk. Reviews should include: 
-
-* Owner attestation to the continued need for the account, and a justification of permissions and scopes.
-
-* Review by privacy and security teams, including an evaluation of upstream and downstream connections.
+> [!NOTE]
+> Create a service account after the risk assessment, and document the findings in a CMDB. Align account restrictions with risk assessment findings. 
+ 
+Consider the following restrictions, although some might not be relevant to your assessment.
+
+* For user accounts used as service accounts, define a realistic end date 
+  * Use the **Account Expires** flag to set the date
+  * Learn more: [Set-ADAccountExpiration](/powershell/module/activedirectory/set-adaccountexpiration)
+* Sign in to the [LogonWorkstation](/powershell/module/activedirectory/set-aduser)
+* [Password policy](../../active-directory-domain-services/password-policy.md) requirements
+* Create accounts in an [organizational unit location](/windows-server/identity/ad-ds/plan/delegating-administration-of-account-ous-and-resource-ous) that ensures only some users will manage it
+* Set up and collect auditing that detects [service account changes](/windows/security/threat-protection/auditing/audit-directory-service-changes), and [service account usage](https://www.manageengine.com/products/active-directory-audit/how-to/audit-kerberos-authentication-events.html)
+* Grant account access more securely before it goes into production
+
+### Service account reviews
+ 
+Schedule regular service account reviews, especially those classified Medium and High Risk. Reviews can include: 
 
-* Data from audits, ensuring that it's being used only for its intended purposes.
+* Owner attestation of the need for the account, with justification of permissions and scopes
+* Privacy and security team reviews, that include upstream and downstream dependencies
+* Audit data review
+ * Ensure it's used for its stated purpose
 
 ### Deprovision service accounts
 
