Password security for Active Directory is becoming extremely important for companies across the globe due to the proliferation of ransomware and security breaches. One area that may not get a lot of attention but is equally important to have a solution for are service accounts.
What is a Service Account?
Service Management Console
A service account is an Active Directory account that is used to authenticate a process that runs on a Windows Server or PC such as an accounting system or for SQL databases processes.
Windows Services are managed in the Services Management Console shown below.
When you open an individual Windows Service and click on the 'Log On' tab you can review which account is used to authenticate that Windows Service.
When you review which accounts that are used for authenticating Windows Services you will notice that some use the Local System account while others are using a specific Active Directory account with a password.
If the Local System account is specified there is no password used and therefore no password to rotate. The Local System account is a highly privileged account that is used by a number of Windows Services but is not suitable for all Windows Services.
Service Accounts can also be used for authenticating Windows Scheduled Tasks that are accessed within the Task Scheduler application.
Similar to Windows Services in the Services Management Console you can use the Local System Account or a specific Active Directory domain account to authenticate the Scheduled Task.
Why Should You Rotate Service Account Passwords?
This is a very important question. The answer is it depends on the circumstance. Active Directory accounts used for Windows Services and Scheduled tasks can be hacked just like any other account. In a lot of cases the accounts used for Windows Services and scheduled tasks have elevated permissions and therefore pose a greater risk if the account is breached.
What Happens When You Reset a Service Account Password?
Service Management Console
When you reset a service account password you must also update the password in either the Windows Services Management Console or in the Scheduled Task that uses the account. If you do not do this the process that the Windows Service manages will eventually stop when the process needs to re-authenticate or when you need to restart the service whichever comes first. For the scheduled task, the task will fail to run at the next scheduled time.
This is a manual process to open the Windows Service, click on the Log On tab, enter the updated password, click apply then restart the service for the changes to take effect.
For Scheduled tasks you must open the scheduled task click OK then type in the updated password in the pop-up window then click Ok to complete the change.
What Are the Alternatives?
Since manually resetting service account passwords and having to make sure you update the password anywhere the account is being used can be a lot of work most IT companies just do not do it. There are however some alternative approaches you can take to manually rotating service account passwords. Each method has some pros and cons.
1. Create a script to automate the updating of passwords in the in the Windows Service and/or Scheduled task with PowerShell such as in this article from ITProToday.
- Removes the manual effort for the taks required after resetting the service account password
- Requires you to create and maintain your own script which takes time and testing
- Still need to manually reset the service account password in Active Directory
2. Add an MFA (Multi-Factor Authentication) solution to your Active Directory accounts and never change the password
- Adds an additional level of security to your windows account
- Don't need to worry about changing passwords and updating the password in Windows services and scheduled tasks
- Cost. You will need to pay per user per month for a third party hosted MFA solution
- Must enter the username, password, and MFA code every time you login unless you have a push notification solution which is generally more costly
- Even though you have MFA it is still possible to hack and if they do and the password never changes then you may be an easier target
- Does not cover when technicians leave your company. Even with MFA on the account you would at the very least want to reset the password then
3. Set the password to an extremely long and complex password, store the password in a securely encrypted password vault that only a limited amount of people has access to and never change the password.
- Never need to reset the password
- Password is difficult to hack since it's very long and complex
- Access to the password is limited to only a few people
- Password is only accessible by the users who have permission to the vault and know the secret passphrase
- Only a limited number of users will have access to the password if it is needed. Requires those users share the password with other technicians when needed
- The password never changes and even though it is long and limited users have access if those users get infected with key logging malware the password can still be hacked
4. Use an Active Directory Managed Service Account if supported by the process or application. Managed Service Accounts have passwords that are managed by Active Directory and automatically rotated so they do not require administrators to rotate the passwords and thus they can be very advantageous. There are some restrictions so be sure to review the documentation from Microsoft or on this blog article.
- Password rotation is handled automatically by Active Directory
- Automated process
- Passwords are automatically updated in Windows Services
- Does not support scheduled tasks
- Setup time required with PowerShell
- Cannot span multiple computers. It cannot be installed on more than one computer at once
- Must be supported by the application that uses the Window Service
5. Use a third-party solution to automate the rotation of service account passwords. Quickpass now offers a solution that will rotate Windows Service accounts on a specified schedule and update the password in the Windows Service and Scheduled Task then restart the service after to finalize the change
- Complete automated solution
- Supports Windows Services and Scheduled Tasks
- Easy setup. No scripting knowledge required
- Integrates with IT Glue password manager
- Saves time and money
- Paid solution