Hitachi ID Systems, Inc.

Hitachi

Features Change service account passwords
certification

Product Sites

Change service account passwords - Hitachi ID Privileged Access Manager

On the Windows operating system, service programs are run either using the SYSTEM login ID, which possesses almost every privilege on the system (and consequently can do the maximum harm) and which has no password or using a real user's login ID and password, in order to execute with reduced privileges. This means that on each Windows workstation and server there are a number of service accounts, each with its own password, which are used to run service programs such as web servers, backup agents, anti-virus software, etc.

Service account passwords differ from administrator passwords in that they are stored in at least two places:

  1. Hashed, in the security database -- e.g., the local SAM database or Active Directory, just like all users.
  2. Reversibly encrypted, in the registry or elsewhere, where the program that starts the service (e.g., Service Control Manager or similar) can retrieve it when it needs to start the service.

Other Windows components besides the Service Control Manager also store passwords twice:

  1. Virtual directories used to access web content from the IIS web server.
  2. Programs scheduled to be run by the Windows Scheduler.

Third party programs may also require passwords to be stored outside the Security Accounts Manager (SAM) database.

Of the above passwords, all but those used in IIS are static and may represent a security vulnerability.

Hitachi ID Privileged Access Manager can be configured to secure service account passwords. This means two things, depending on the mode of operation:

  1. In pull mode, the Privileged Access Manager workstation service periodically scrambles service account passwords locally, in coordination with the central Privileged Access Manager server cluster.
  2. In push mode, Privileged Access Manager servers periodically connect to Windows servers in order to change the passwords of service accounts.

In both cases, Privileged Access Manager notifies the program that launches service accounts of the new password value, so that it can successfully launch the service at the time of the next system restart or when an administrator manually stops and restarts the service in question.

In push mode, Privileged Access Manager runs an exit program which remotely connects to the server in question and updates the secondary storage of the service password. Exit programs are provided with the base Privileged Access Manager software distribution to remotely update:

  1. The Windows Service Control manager.
  2. The Windows Scheduler.
  3. The IIS web server.

Privileged Access Manager does not normally restart services after notifying the appropriate OS component of a new password, since the new password is normally only required when the service is next started -- not earlier. However, Privileged Access Manager can be configured to restart services on a selective basis, after a password change.

Any problems encountered in updating a service password can and should be configured to trigger an exit trap program on the Privileged Access Manager server, to notify an administrator of an imminent problem when the service in question is next started.

Privileged Access Manager implementers, Hitachi ID Systems and integrators can write additional exit programs to update service passwords used by other programs, stored in other locations. These are typically command-line programs (Windows executable or script) that run on the Privileged Access Manager server.

In pull mode, the Privileged Access Manager workstation service can use a DLL to update local passwords. DLLs are provided for the same Windows components as the push-mode exits above and implementers can write new DLLs to update passwords for other types of accounts.