An over-priviliged network access account is a security risk specific to SCCM environments. This post is about protecting that account.
The network access account is an account that is used in most SCCM environments. It is used to grant access to distribution point content by machines that can’t use their domain computer account to authenticate agains the distribution point. The new SCCM Current branch docs site describes it like this.
Client computers use the Network Access Account when they cannot use their local computer account to access content on distribution points. For example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain.
One of my fellow MVP’s, Roger Zander, has described it as evil..