I am deploying an application which scans files. Our systems access management team will provide a Windows non interactive service account so the app can access file shares. They've just told me that there is no way to prevent a user from using the service account to map a drive and so view the files.
I'm not a network guy so dont know if this true. Is there any way to prevent drive mapping?
You're being painfully vague, but they're saying that they'll create a service account for your service to log in as and run under.
However, there is no actual concept of "service accounts" in Active Directory or locally*, so in every way this is just a standard user with whatever rights are required etc. They may choose to restrict it as much as is reasonably possible (NB: Or, they may not!) but ultimately it's going to need access to some things for your software to work.
If somebody got hold of the username and password then yes, they could in theory use it to authenticate and access whatever your software accesses.
However, this isn't a security risk in itself - no more than having administrative accounts etc. The answer is the same: Make the password complicated, random and release it to only those who genuinely need it.
We'd need far more detail on your environment before we could recommend other specific ways to mitigate risk, but I'm not sure it would do your professional relationship any good to approach them with said answers.
*The idea is, however, best practice, well documented and understood. But you must understand there is no "Service Account" user type or anything. It's just a descriptive term.
