I was testing replication on different servers, and I found that the easiest way (for me) to do it is to run all the replication agents (SnapShot agent, Logreader agent , and Distribution agent) under the same Windows account.
However, according to Microsoft documentation this is not the best security practice.
Run each replication agent under a different Windows account, and use Windows Authentication for all replication agent connections. For more information about specifying accounts, see Manage Logins and Passwords in Replication.
Can someone please explain to me the reason behind this? Also, what are the risks of having only one windows account to run all the agents?
Each replication agent should be ran under a different Windows account and should only be granted the required permissions, also known as the principle of least privilege, and is the recommended approach.
The reasoning for this is because the different replication agents (Snapshot, Log Reader, Distribution, Merge, Queue Reader) require different permissions depending on the agent and the subscription type, which are covered in the section Permissions That Are Required by Agents in Replication Agent Security Model. Buy following the principle of least privilege, we allow the agents to access only the resources that are necessary to perform their intended function.
Put simply, the principle of least privilege increases your security and reduces risk.