Service Accounts

Overview

Service accounts are logins that are not linked to a human identity, and most likely do not exist in corporate directories.

Since these logins can't be multi-factored they are secured with connection policies restricting them to a IP address range, target system, client name and/or time of day.

The goal is to

block any connection to a target database using a service login when the client IP is not the app server ip
send an alert on the misuse of a service account

Configuration Steps

To create and lock down a service account

Prerequisites

Create an alert channel for non-compliant connection attempts

Step 1 - Create a Mamori user without 2FA

Step 2 - Create connection policy to lock down the Mamori user

Create Service Account User

Click Users

Click

Enter user details & Click Create

Enter user permissions

Create Connection Policy

Click Policies

Click Connection Policies

Click Before Connection

Next, enter rule details

Field Description
Rule description reference
enabled defaults to true
Action Allow, Allow & Log, Deny, Deny No Log
Rule Use the rule builder to create the rule
DENY WHEN User Is your_service_login AND Datasource Is a_target_database AND Client IP Is Not app_server_ip
Alert Select the alert channel for non-compliant connection attempts

Click OK

Field	Description
Rule description	reference
enabled	defaults to true
Action	Allow, Allow & Log, Deny, Deny No Log
Rule	Use the rule builder to create the rule DENY WHEN User Is your_service_login AND Datasource Is a_target_database AND Client IP Is Not app_server_ip
Alert	Select the alert channel for non-compliant connection attempts