For a fairly standard, internal facing, web app of an IIS layer talking to an MS SQL back end, we are using a service account for the IIS to talk to SQL.
We also have in our Active Directory setup a password lockout set, so that too many guesses lock the account.
Following on from Is account lockout a denial of service attack waiting to happen? scenario - does setting the Deny Logon Locally for the service account user impact this lockout feature in any way?
Alternatively (additionally?) is this the kind of scenario that Managed Service Accounts are supposed to help fix?
I don't know that it's precisely what MSAs are designed to guard against, but they certainly do, and it's best practice to use them when you do need a non-interactive account as a service account.
The Deny Logon Locally flag has no effect on locokout policy - authentication happens before those policies are enforced.
Well as per me i think this is the issues you are facing,
To secure the Managed service accounts please refer to this link,
http://hitachi-id.com/password-manager/docs/password-management-best-practices.html
Hope this help if this is the secenario.
Don't forget, you can also configure exactly what machines the account is allowed to be used on. I'm pretty sure this will prevent the authentication process even starting.
I can't remember if this is exposed through ADUC, but it's ultimately defined in the userWorkstations attribute of the user's object in AD.