Service Account Management
We spoke previously on the management of privileged accounts and how important it is to keep them accountable. Privileged accounts are one of many different types of accounts that should fall under your organizations Account Management Program and another one to add to that would be service accounts.
What is a service account anyway? In basic terms, a service account is an account that a service on your computer uses to run under and access resources. This should not be a user’s personal account. While they may look the same, the separation of users from services is very important for both tracking and the ability to tighten down what an account can and cannot do. A service account could also be an account that is used for a scheduled task (sometimes referred to as a batch job account), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account should not be a personal user’s account for the same reasons that a service should not run under a personal user’s account.
You may ask what is so important about these? It seems like if it is not a user account, then how would it have access to my organization’s network? On the contrary, these accounts are a favorite target of many malicious actors because they are often implemented in such a way that they have a higher level of access than a user account. Historically, they also have not changed passwords as often (if ever) as user accounts.
Services are often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations and or lead to account changes that allow for easier connections to other parts of your network. As a result, both locking down a service account and following good password change and audit procedures is an important part of keeping your systems secure.
What can you do?
When it comes to the configuration and management of service accounts, there a few things listed below that can help.
- Password Management – Some administrators like to set these accounts up with passwords that do not expire or use the same password for all the service accounts. Instead, there needs to be a strategy for managing these passwords and changing them on a regular basis, as well as using unique passwords.
- Privilege Management – It is best practice to implement the principle of least privilege. Only provide the minimum necessary privileges to service accounts. If your service account must run with administrative privileges, deny that account access to all of the directories besides the one or two that it needs.
- Naming – Consider names that are not completely obvious to the service, for example SQLService would be helpful to administrators, but it is more helpful to attackers. While obfuscation is not usually a recommendation to secure systems, in this case it may slow someone down enough to not want to try every account available.
- Auditing – Logging and auditing of service accounts, and all accounts in any case, is very important to keep systems secure. Using an event log aggregator and looking for specific events can be helpful in discovering security problems and services that are not working correctly.
Locking down your service accounts should be a basic component of your hardening guide for all computers. While it requires more time to lock down a new service account to allow access only to what it needs, it is well worth the time spent. Defense-in-depth requires that you look at more than the perimeter, and service accounts are one major place where the in-depth strategy can serve you well.