Author: Michael Byrnes, Director of Solutions Engineering, iMEA at BeyondTrust
Service accounts are a particular type of non-human privileged account used to execute applications and run automated services, virtual machine instances, and other processes. These accounts can be privileged local or domain accounts, and in some cases, they may have domain administrative privileges. This high level of privilege facilitates the smooth operation of many IT workflows, but a single service account can easily be referenced in many applications or processes. This interconnection, along with the critical nature of their usage, makes them very difficult to manage.
So let’s delve into how do service accounts work, some of the common challenges in managing service accounts as well as recommended best practices and solutions for properly managing and securing these accounts.
Key challenges
Proper system functioning and business continuity depend on the functioning of the underlying services. The compromise or malfunction of a service account can potentially cause widespread system outages, particularly if an account is associated with multiple services.
Passwords: The consequence of the service account structure means that any password change of a superuser credential must not only be performed in the authentication system (i.e. Active Directory), but also in every service/application that stores the password for that same credential. So, not only must you update the authenticator, but also all references. Updating all the places where a service account is stored is known as propagation.
If you miss any of the places that have a stored password, the wrong password will be used and that could spur cascading system failures. The use of an incorrect password by a service could even cause the operating system to think that the account is under attack and, consequently, lock out the account. This means that every service that uses that locked out account will now fail too.
Because of the implications of passwords that don’t correctly sync, many organisations simply choose to ignore the issue, rather than risk downtime. Consequently, service accounts are often configured with non-expiring credentials that remain unchanged for years.
Access: Service accounts have privileged access on the local system and, in some cases (i.e. Windows domain accounts,) access to off-system resources. While a service account rarely requires Domain Admin level rights, they often are over-privileged as an easy way to overcome any potentially unforeseen operation challenges that may impact service continuity.
Administration: Since service accounts are not directly associated with a human identity, access of service accounts requires sharing of the credentials for those accounts. This sharing of credentials dilutes accountability and makes oversight of service accounts difficult.
Centralised provisioning of service accounts has traditionally posed a challenge due to the disparate origin of these accounts (Windows, Unix, Linux and the Cloud have separate accounts, provisioned individually when the software they manage is installed). As a consequence, many organisations manually provision service accounts.
Given the complexities around service account management, some IT teams take the approach of manually managing service account credentials. This is a tedious, error-prone, and potentially disastrous, process. Manual rotation requires identifying everywhere that credentials exist and executing a change whenever the credential is used. An errant credential change can disrupt services and cause critical systems to go down. Additionally, just as with other instances of password management, humans invariably fall into the trap of using easy to remember credentials, or reuse credentials across multiple accounts. When credentials are re-used, the exploit of one instance can potentially lead to the compromise of all the accounts that share the same password.
Visibility and Auditing: Service accounts create some visibility issues that are common to all types of machine/non-human accounts. Since they typically run in the background without the interaction a human user, they may avoid scrutiny and oversight, so long as services seem to be operating smoothly. Additionally, most organisations suffer from a sprawl of service accounts, including orphaned accounts that are forgotten and/or no longer used. It’s possible that multiple identities (users) have access to a service account, and share the same login details. This means it may be impossible to connect a single user’s actions to any changes to the service account.
Put simply, most organisations have serious service account lifecycle management deficiencies when it comes to addressing provisioning, onboarding, enforcement of security best practices, session auditing, and de-provisioning, etc.) of service credentials.
The management challenges of service accounts also encapsulate why the accounts are prized and sought after by hackers.
Best practices
The best approach to effectively securing services accounts is two-fold. The first element requires an immediate plan to identify and bring all accounts under centralised management. The second element entails implementing an ongoing program based on automated onboarding and management of new accounts.
Step One: Identify and centrally manage all accounts
If you do not know where all your privileged service accounts are, you cannot fully control and audit their usage. The first priority, as with all other types of accounts, is to deploy a method of continuous identification and cataloging so they can all be brought under centralised management.
Step Two: Automate management of accounts
Given the dynamic nature of IT environments, auto-discovery capabilities save time and ensure that no account is left unmanaged. Automatically profiling and classifying accounts ensures that new service accounts are immediately brought under control, removing the complexity and risk of manual administration. This enables complete visibility over all privileges in an environment.
Next, privileged credentials (passwords, SSH keys) associated with service accounts need to be centrally secured within an encrypted credential safe. Access to these credentials should be controlled and monitored to mitigate the risk of misuse.
Finally, as service account credentials are changed, the automatic propagation of credentials to all places where they are referenced is a critical factor in preventing systems failures and downtime.
In addition to these steps, you should also apply a few additional best practices including applying the principle of least privilege by creating accounts only with the minimum privilege required to complete a certain task, refraining from putting service accounts in built-in privileged groups and having a “worst-case” plan for outage scenarios that may disrupt the availability of your service account password management solution.
The bottom line
Service accounts are critical to the smooth operation of most IT systems. Manual management of these critical accounts simply won’t scale or meet the security and auditing requirements of modern enterprises.
Today, organisations can leverage solutions to help them automate the discovery and management of service accounts, while securing, controlling, and auditing access to them. Automation is essential to mitigating the risk of service account sprawl and protecting your enterprise from the risks of compromised privileged credentials.