Going Beyond Local Account Management:
Service Account Discovery, Correlation and Propagation
President & CEO
In the previous
month we discussed the management of local accounts and Superuser
As described, changing
hundreds of thousands of local accounts and providing delegated access
to them was a quick and easy process no matter whether they were on
Windows, Linux or other platforms.
After securing your local
accounts (which can be done with our Random Password Manager (RPM))
product alone, the next stage in privileged identity management is the
randomization of so-called service or application accounts.
Our product Enterprise
Random Password Manager (ERPM) was designed to take you to the next
level of identity management by not only managing accounts, but also
where they are being used. This means finding all accounts, figuring
out where and how they are used, and then changing them everywhere
without causing an outage.
Local accounts like
administrator on Windows and root on Linux are generally used to log
onto systems and the power of the identity can be used for performing
management tasks. However, the account names and their passwords are rarely used for anything other
than local or remote logon (at least on workstations).
Many servers use accounts
like root and administrator to run persistent applications that run
whether or not someone is logged into the machine. For example, a web
site would be an example of such a persistent application as would a
database or other line of business application.
The service account is
needed for these persistent applications or processes so that they have
the ability to perform powerful actions on behalf of the users of
application. In effect, these accounts are proxies used to perform
limited actions on behalf of users that have no access to sensitive
data and systems.
In many cases, the
mechanics of service accounts means that an account must be used that
is known and verifiable to not only the application, but to everything
that the application interacts with. Consequently the service
account is generally a powerful Windows domain account, Kerberos, LDAP
or database access credential.
Challenge: Service Accounts Must be Changed Regularly
Service account based
applications must keep a copy of the powerful credentials needed to
perform their actions. The service credentials are generally encrypted
or obfuscated, but must be available on demand by the application or
The consequence of the
service account structure means that any password change of a Superuser
credential must be done not only in the authentication system (i.e.
Active Directory), but also in every service/application that stores
the password for that same credential. We can say that not only must
the authenticator be updated, but also all references. Updating all of
the places where a service account is stored is known as propagation.
IT Gets Into Trouble With Service Accounts
To successfully change
the password of an account, you must not only change it where it is
being stored, you must also change every place that references that
account. If you miss any of the places that have a stored password, the
wrong password will be used and that service will fail to work
properly. In some cases, the use of an incorrect password by a service
can cause the operating system to think that the account is under
attack and lock out the account. This last scenario means that
every service that uses that locked out account will now fail too.
The challenge to IT is
first to understand what credentials are in their systems as well as
where they are being used. The second challenge is to understand how to
change the references to those credentials and not miss any. The first
step is known as discovery and correlation. The second step is known as propagation.
=> More on this subject in NEXT
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
Tech Tip of the Month
Manage Windows Task Credentials
Scheduled Tasks contain security credentials for the account that the
task will run under, or the Run As Account. As is the case with
privileged user accounts and service accounts, these Scheduled Task
credentials need to be managed and rotated on a regular schedule to
prevent unauthorized entry points to your Windows systems. Here's
Workplace Safety and Insurance Board (WSIB)
Based in Toronto, the WSIB is legislated by the Ontario
government and is responsible for administering the Workplace Safety
and Insurance Act (WSIA).
Situation: IT staff had anonymous privileged access to hundreds
of Windows servers. WSIB needed to track and audit this access to
protect sensitive data.
Solution: Enterprise Random Password Manager was deployed to
servers throughout the network.
Result: Privileged account password changes are now automated
throughout the network - with unique, complex passwords for each
account. Administrator access to privileged accounts is audited –
ensuring full disclosure of “who did what, and when” on systems with
access to crucial data.
increases security by tracking when the passwords are being used and
who’s using them. And if someone leaves the IT team you can just remove
them from having access to ERPM, so there’s no concern about former
employees still being able to access the organization’s sensitive
information." - Peter
Gruner, Team Lead, System Engineering. WSIB
to read the detailed success story.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
the Power Grid. Not surprisingly, reports of serious
security hacks in the energy industry are back in the news. Successful
hacking of the power grid infrastructure is no surprise to me. In fact,
I wouldn’t be surprised if most utilities are already heavily infected
with malware and viruses that are mostly immune from conventional
antivirus and malware solutions...
- The Low Hanging Fruit of IT Security.
As companies continue to struggle in today’s difficult economy,
cutbacks affect all sectors of organizations. Unfortunately, IT
security solutions are often not spared form the chopping block – a
risky and shortsighted decision if you ask me, but perhaps that’s
fodder for a future blog...
Events / Press /
talk about the privileged. IDC Insight, ComputerWorld-UK.
With all the packaged privileged identity management solutions
available today, there is no excuse not to act.
are companies so bad at responding to data breaches? The Next Web.
Lieberman says that the C-suite views the implementation of stringent
methodology to combat potential hacking threats a lot like the way many
regular people treat car insurance: why spend the money to adopt a
comprehensive plan hinged upon a mere threat that isn’t guaranteed?
From a cost-risk analysis perspective, a procedural defense against
cyberthreats doesn’t seem worth it.