Service Account Password Management
Service account password management refers to a process for orchestrating changes to service account passwords in a security database or directory with matching notification to subscribers (i.e., those OS components which start unattended processes such as services and scheduled jobs) of new password values.
Any password which persists for a long period of time may be compromised by an attacker. Attack methods may include:
- Repeated attempts to authenticate to the primary security database (on the network) as the account in question.
- Extracting a copy of the primary security database's database of password hashes and attacking that local copy.
- Extracting a copy of the persistent storage used by a subscriber to hold service account passwords and using passwords from that data to connect to the primary security database.
- Human beings who set a service account password in both the primary security database and any subscribers misusing, sharing or otherwise compromising those passwords. This is especially problematic if the network perimeter has been breached and malicious parties have access to sensitive subscribers and/or primary security databases.
- Inability to monitor or control use of service accounts by people who do have a legitimate need to know their passwords.
The solution to all of these security concerns is the same: periodically change service account passwords to new and random values, which are not known to humans and which limit the time available to an attacker to compromise a password. When humans require manual access to these accounts (for example, to schedule a new job or install a new service), control access to these accounts and promptly change the password to a value not known to any humans.
Hitachi ID Privileged Access Manager can be configured to secure service account passwords. This means two things, depending on the mode of operation:
- In pull mode, the Privileged Access Manager workstation service periodically scrambles service account passwords locally, in coordination with the central Privileged Access Manager server cluster.
- In push mode, Privileged Access Manager servers periodically connect to Windows servers or Active Directory in order to change the passwords of service accounts.
In both cases, Privileged Access Manager must notify the program that launches services -- the subscriber -- of the new password value, so that it can successfully launch the service at the time of the next system restart or when an administrator manually stops and restarts the service in question. In some cases, for example when domain accounts are used to run services, an immediate restart may be required or advisable, due to Kerberos token expiry.
Privileged Access Manager includes extensive automation to discover subscribers and subscriber-to-service-account dependency. This allows Hitachi ID Systems customers to review what services are run in the security context of what named users, on what systems. This is particularly helpful where services run in the security context of domain accounts, since multiple services on multiple servers may rely on the same service account and may therefore require notification of the same new password in a quick and fault-tolerant fashion.
Privileged Access Manager includes several processes that support safe and secure changes to service account passwords:
- Auto-discovery of subscriber/account dependencies for a variety of subscriber types: IIS, Scheduler, SCM, DCOM, at various OS and subscriber versions.
- A white-list mechanism (usually table driven, but a plug-in is available for more complex scenarios) so customers can control which service accounts should have their passwords randomized and when.
- Built-in tools to notify known subscribers of new password values.
- A transaction manager that can retry notifications to off-line subscribers.
The above are primarily used when managed systems are integrated with Privileged Access Manager in "push mode" -- i.e., there is no locally installed software on the target system and Privileged Access Manager initiates all connections remotely, over the network, directly or via a co-located Privileged Access Manager proxy server.
In case push mode is inappropriate -- for example because the relevant services (remote registry, WMI, etc.) are disabled or firewalled or because the end system is offline or inaccessible due to name resolution or IP routing issues (NAT, etc.), a pull mode service can be installed on the managed system, which performs essentially the same functions but with much simpler connectivity (call home over HTTPS) and no need for network accessible services on the local system.
Pull mode is normally used on laptops and in some cases desktop PCs, but works on any system running any version of the Windows OS.
Any problems encountered in updating a service password can and should be configured to trigger an exit trap program on the Privileged Access Manager server, to notify an administrator of an imminent problem when the service in question is next started.
Both the discovery and notification mechanisms described above are extensible. This means that customers who have other types of subscribers -- for example, third party job schedulers -- can add small programs that discover their account dependencies and notify them of new service account passwords. These are typically command-line programs (Windows executable or script) that run on the Privileged Access Manager server. For pull mode, the equivalent form of extensibility is provided via deployment-specific DLLs.