PAM-ifying Windows Service AccountsAnirban Banerjee
In this article, we will talk about one of the most important and pervasive challenges that face system administrators and security professionals on a daily basis. Most organizations that rely upon Windows operating systems use windows service accounts for their operations. What are windows service accounts? What makes them different from the normal user accounts and why are they preferred? If they are used in abundance by the IT sectors, won’t they face security threats? If so, what are the safety measures to safeguard the so-called service accounts?? – All important questions that need to be answered and understood in order to secure this common, yet challenging facet of Windows Privileged Access Management principles. In this article, we will deal with all these whats, hows and more regarding service accounts.
What are Windows Service Accounts?
Windows accounts can be created in two ways. Either as normal user accounts or as service accounts. Wonder what makes service accounts different from that of user accounts? Read again, the answer you seek is in their names! User accounts are actually managed by users whereas service accounts are managed by various system services such as web services and other applications. Service accounts are primarily used for executing system applications and for running various programs and these accounts can be either created manually or during the process of software installations.
Why are they Useful?
Service accounts can always provide minimum accessibility to its users. This lines up nicely with the concept of least privilege – only give the users who need access, the minimum access to get their job done. Not all users who use a service account will need access to everything connected to it. They may need to access only some specific files or services and the access will be provided to only those specific data and nothing more if service accounts are used. This practice of providing limited access to files will be helpful if at all a particular user is compromised. In such a scenario, only those particular data accessible to the compromised user will be affected. One thing to be noted is, one service account should be created for each service and application that are used. If only one service account is used for all the services, and if that account gets breached, Alas! everything will be gone.
Many servers use root accounts to run persistent applications. This is not a good strategy and here’s again where a service account comes into the picture. Service accounts deal with these persistent applications and services by running or executing them when needed on behalf of actual users. Users practically don’t have to bother about the same with the help of service accounts. This also means that the service accounts should be identified not only by the applications which are executed but also by anything and everything those applications interact with. Another reason why service accounts are chosen above user accounts for running application services is security. Suppose a service account used by an organization is compromised to an attack, the data loss will be focused only upon that particular service account and not to the system accounts. Essentially think of service accounts as an air gap between the target resource you want to access. You have someone on your behalf to run your requests on the resource while you yourself are insulated from the target resource whether its an IIS server account, an SQL database account or other types of resources.
What are the Challenges?
Is there something like a free lunch – I guess not. When you’re using windows service accounts in an organization that has multiple accounts that work with multiple applications and services, the scenario becomes chaotic. Take a look at the scenarios when such service account breaches were faced by organizations. Most of those service accounts are created by copying the already existing ones. This automatically grants extra privileges to the service accounts which is not needed and thereby creating a threat to the account. Additionally, the complexity of managing service accounts can blow up radically, many IT and security professionals have strong opinions of this “necessary evil”.
What should you watch out for?
Make sure to create a service account from scratch and set the minimum privileges according to your needs. Setting fixed access controls and privileges depending on various applications and services is mandatory to ensure a secure environment for the service account. Another thing to keep in mind while managing windows service accounts is password management. The security level of the service account must always be strong. This also means that the service accounts must be subjected to regular password rotations. If the service account is compromised, the credentials and data of a lot of applications and services will be put under risk. A good number of service accounts that are under use still have their default or old passwords. This points to a serious cybersecurity risk. Most of the time, service accounts will be the gatekeepers to sensitive data and information and hence, regular modification of their passwords should be a high priority.
Changing passwords of a service account is not a cakewalk. It’s not just about simply changing the password of the service account in one go. One should be aware of all the locations where the old passwords are stored. An application that makes use of this service account may store the password in its local memory after encrypting. In this scenario, suppose you changed the service account password, you must also update the change in this application. Else the application will still try to execute itself using the old password resulting in an improper execution. The same thing applies to all the services attached to the service account.
Apart from all these, certain practices like NOT using built-in privileged groups for service accounts, avoiding usage of redundant user rights, continuous audits and restricting the service account’s usage for a fixed time can ensure the presence of a secured layer for the service accounts.
Is there no simple solution?
The answer is, fortunately, a big yes. The concepts of Privileged Account Management or PAM steps inside all the above-mentioned scenarios being an answer. Privileged Account Management can be defined as a set of strong and effective security tools together wrapped in a layer. As the name implies, the privileges and access rights of any happenings inside the system are controlled by these tools. Nothing unauthorized can go in or out of the barriers built by the tools of PAM. All the password-protected accounts can be easily secured and managed using the password protection software of PAM. The credentials of service accounts can be thereby protected securely. PAM solutions do more than just protecting passwords. They will also monitor, control the access over the service accounts and also will respond if any malicious activity is detected.
PAM solutions, if personified, will look like a person holding a warning board that says “Security Does not Sleep”. Yes, nothing goes unaudited when your server is secured with the help of a PAM tool. Everything is recorded and can be reviewed when required. This provides extra benefits when it comes to service accounts security. All the activities of the windows service accounts will be monitored and recorded. This will help an administrator to correct the flaws in the service account operations if any, along with detecting the reasons for any issues. Reviewing all the service account activities indeed gives you a heads-up about any kind of problems or malicious activity in the account, as most of the service account breaches were due to a compromised insider or some unintentional yet insecure account privilege settings. PAM tools can not only rotate values like AWS API keys but also passwords for Active Directory Service Accounts.
Service accounts generally are user accounts that are created to run or execute services or applications. The practice of password rotation is strictly suggested to the administrator to ensure a secure atmosphere while using a service account. In this article, we have tried to provide some guidelines on what types of risks any CISO, CIO, VP of security and security and ops teams will have to deal with on a day to day basis. Hopefully, these perspectives from our enterprise customers and forward-looking CISO advisors will prove valuable to you. If you do require any additional clarifications, please feel free to get in touch with us at https://www.onionid.com or in case you need information about a complete, lightweight, cost-effective PAM solution with great after-sales support, please connect with us at firstname.lastname@example.org.