The company I work for is currently going undertaking a project to remediate (among other things) a pen-test finding that a privileged domain-level account (which was compromised by the pen-testers during the audit) was being used for multiple maintenance and development tasks in production. Currently, we're trying to discourage the use of this account and break its functionality out into separate service accounts. We're getting especially firm push-back from the DBA group on the topic of trying to discourage its use in installing SQL Server patches.
So far, I haven't been able to find any guidance specific to accounts when it comes to "best practices" for installing patches so I was wondering if anyone had any first-hand knowledge or a good starting point on where to look. Thanks