Service accounts are indispensable in any infrastructure. Some service accounts may be as old as the infrastructure itself.
What are service accounts?
Service accounts are normal user accounts with special privileges created explicitly to run applications, automate services, and perform other background processes. To eliminate the risks that come with running business-critical services on user accounts, organizations moved to using managed service accounts.
Managed service accounts are domain accounts whose passwords are automatically managed by domain controllers. While creating managed service accounts, you can specify the computers they’ll be run on. This ensures that the services will run only on the specified computers. These accounts help in securely running services and delegating activities to other administrators.
Group managed service accounts, as the name suggests, support the same functionalities of managed service accounts but on multiple servers.
Are you still using normal user accounts to run services? It’s difficult to have a concrete answer to this question because these accounts could be scattered across your infrastructure.
Having limited or no visibility into your service accounts can lead to disastrous consequences.
Let’s take a quick test (Pause and answer them before scrolling down!):
Listing all the services running across AD
You can get the list of your service accounts easily if you have configured them using meticulous naming conventions. One of the widely accepted notations for naming service accounts is prefixing the account name with svc. This can help you easily pull out the accounts using simple string commands in PowerShell.
Let’s get real here. There is no way that any organization will religiously stick with naming conventions. Also, attackers often try to identify service accounts in an infrastructure by looking up well-known naming conventions. So, this option is archaic and inefficient.
Another way to get the list of all your service accounts is to create a separate OU to hold all of them. Well, most of us are guilty of not doing this.
The PowerShell command get-wmiobject win32_service -comp <name> | Group Startname -NoElement can provide the list of services running on a single computer. However, it is time-consuming to run this on all systems to get the complete list.
To get the full list of service accounts in a few clicks, you can utilize the free Service Account Management tool from ManageEngine.
This tool not only gives you the list of all managed service accounts but also helps you create, delete, edit, enable, and disable managed service accounts in bulk.
Managing service account passwords
Who has access to service account passwords? Who can rotate or change the expiry date of service account passwords? These details are often ambiguous.
To manage service account passwords, you need to get the list of the principals that can manage the service accounts. These principals could be:
-
Group managed service accounts
-
Managed service accounts
-
User accounts that run legacy services (if your organization is using user accounts to run services, you must give the next part of this blog a read)
You can narrow down your search by singling out service account principals that are allowed to manage passwords using the following PowerShell command:
Get-ADServiceAccount -Identity <gMSA-account> -Properties PrincipalsAllowedToRetrieveManagedPasswords
Once you have the list of principals that can manage passwords, you can streamline the password security of these service accounts.
Running services using normal user accounts
It’s simply redundant to ask if your AD has user accounts that run services in your infrastructure—the answer is most likely yes. Legacy services that uphold business continuity and cannot be disturbed may run on normal user accounts.
If an attacker compromises any normal user account that has services running on it, what do you think are the consequences? Check out this 30-minute webinar that tells you exactly what happens and how you can prevent it.
Everything you need to know about service accounts
Since service accounts are omnipresent in your infrastructure, it is crucial that you know important information such as what these accounts are, who has access to these services, and how these services work in your infrastructure.
ManageEngine Log360 can give you detailed insights into all the services running in your network. The solution can alert you in real time by sending SMS and email notifications about undesirable changes made to your service accounts.
You can also filter out user accounts using naming conventions such as svc and get in-depth analytics on them.
Check out the demo hosted online to see what Log360 can bring to the table.
