Privileged and Service Account Management
We spoke previously on the management of privileged accounts and how important it is to keep them accountable. Privileged accounts are one of many different types of accounts that should fall under your organizations Account Management Program and another one to add to that would be service accounts.
What is a service account anyway? In basic terms, a service account is an account that a service on your computer uses to run under and access resources. While they may look the same, the separation of users from services is very important for both tracking and the ability to tighten down what an account can do. A service account could also be an account that is used for a scheduled task (sometimes referred to as a batch job account), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account should not be a personal user’s account for the same reasons that a service should not run under a personal user’s account.
You may ask what is so important about these? It seems like if it is not a user account, then how would it have access to my organization’s network? On the contrary, these accounts are a favorite target of many malicious actors because they are often implemented in such a way that they have a higher level of access than a user account. These accounts are members of the domain in the same way a user account is. Historically, they also have not changed passwords as often (if ever) as user accounts.
Services are often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations. An attacker can use this as a jumping point leading to account changes that allow for elevated access to other parts of your network. As a result, both locking down a service account and following good password change and audit procedures is an important part of keeping your systems secure.
What can you do?
When it comes to the configuration and management of service accounts, there a few things listed below that can help.
- Password Management – Some administrators like to set these accounts up with passwords that do not expire or use the same password for all the service accounts. Instead, there needs to be a strategy for managing these passwords and changing them on a regular basis, as well as using unique passwords. Use an encrypted vault to protect, store and generate random passwords for service accounts.
- Privilege Management – It is best practice to implement the principle of least privilege. Only provide the minimum necessary privileges to service accounts. If your service account must run with administrative privileges, deny that account access to all of the directories besides the one or two that it needs. Creating limited access to systems and denying interactive rights to only what is required reduces exposure.
- Governance – First inventory all service accounts to know what you have and where. Next establish regular reviews of service accounts in the environment documenting ownership, required access and lifecycle of the account. Enforce these requirements with a workflow to gather these elements for new authorizations.
- Auditing – Logging and auditing of service accounts, and all accounts in any case, is very important to keep systems secure. Using a SIEM looking for specific events can be helpful in discovering security problems and services that are not working correctly.
Locking down your service accounts should be a basic component of your hardening guide for all computers. While it requires more time to lock down a new service account to allow access only to what it needs, it is well worth the time spent. Defense-in-depth requires that you look at more than the perimeter, and service accounts are one major place where the in-depth strategy can serve you well.
