Lieberman Software
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on YouTube
October 2012        

Top of Mind

Going Beyond Local Account Management: Service Account Discovery, Correlation and Propagation

Philip  Lieberman
President & CEO
Lieberman Software

In the previous month we discussed the management of local accounts and Superuser accounts. 

As described, changing hundreds of thousands of local accounts and providing delegated access to them was a quick and easy process no matter whether they were on Windows, Linux or other platforms.

After securing your local accounts (which can be done with our Random Password Manager (RPM)) product alone, the next stage in privileged identity management is the randomization of so-called service or application accounts.

Our product Enterprise Random Password Manager (ERPM) was designed to take you to the next level of identity management by not only managing accounts, but also where they are being used. This means finding all accounts, figuring out where and how they are used, and then changing them everywhere without causing an outage.

Defining Service Accounts

Local accounts like administrator on Windows and root on Linux are generally used to log onto systems and the power of the identity can be used for performing management tasks. However, the account names and their passwords are
rarely used for anything other than local or remote logon (at least on workstations).

Many servers use accounts like root and administrator to run persistent applications that run whether or not someone is logged into the machine. For example, a web site would be an example of such a persistent application as would a database or other line of business application. 

The service account is needed for these persistent applications or processes so that they have the ability to perform powerful actions on behalf of the users of application. In effect, these accounts are proxies used to perform limited actions on behalf of users that have no access to sensitive data and systems.

In many cases, the mechanics of service accounts means that an account must be used that is known and verifiable to not only the application, but to everything that the application interacts with.  Consequently the service account is generally a powerful Windows domain account, Kerberos, LDAP or database access credential.

The Challenge: Service Accounts Must be Changed Regularly

Service account based applications must keep a copy of the powerful credentials needed to perform their actions. The service credentials are generally encrypted or obfuscated, but must be available on demand by the application or service. 

The consequence of the service account structure means that any password change of a Superuser credential must be done not only in the authentication system (i.e. Active Directory), but also in every service/application that stores the password for that same credential. We can say that not only must the authenticator be updated, but also all references. Updating all of the places where a service account is stored is known as propagation.

Where IT Gets Into Trouble With Service Accounts

To successfully change the password of an account, you must not only change it where it is being stored, you must also change every place that references that account. If you miss any of the places that have a stored password, the wrong password will be used and that service will fail to work properly. In some cases, the use of an incorrect password by a service can cause the operating system to think that the account is under attack and lock out the account.  This last scenario means that every service that uses that locked out account will now fail too.

The challenge to IT is first to understand what credentials are in their systems as well as where they are being used. The second challenge is to understand how to change the references to those credentials and not miss any. The first step is known as discovery and correlation. The second step is known as propagation.

=> More on this subject in NEXT MONTH'S Newsletter.

What do you think? Email me at: You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Tech Tip of the Month

Manage Windows Task Credentials

Windows Scheduled Tasks contain security credentials for the account that the task will run under, or the Run As Account. As is the case with privileged user accounts and service accounts, these Scheduled Task credentials need to be managed and rotated on a regular schedule to prevent unauthorized entry points to your Windows systems. Here's how.
Customer Snapshot: Workplace Safety and Insurance Board (WSIB)

Based in Toronto, the WSIB is legislated by the Ontario government and is responsible for administering the Workplace Safety and Insurance Act (WSIA).

The Situation: IT staff had anonymous privileged access to hundreds of Windows servers. WSIB needed to track and audit this access to protect sensitive data.

The Solution: Enterprise Random Password Manager was deployed to servers throughout the network.

The Result: Privileged account password changes are now automated throughout the network - with unique, complex passwords for each account. Administrator access to privileged accounts is audited – ensuring full disclosure of “who did what, and when” on systems with access to crucial data.

“ERPM increases security by tracking when the passwords are being used and who’s using them. And if someone leaves the IT team you can just remove them from having access to ERPM, so there’s no concern about former employees still being able to access the organization’s sensitive information." - Peter Gruner, Team Lead, System Engineering. WSIB

Click here to read the detailed success story.

What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • Hacking the Power Grid. Not surprisingly, reports of serious security hacks in the energy industry are back in the news. Successful hacking of the power grid infrastructure is no surprise to me. In fact, I wouldn’t be surprised if most utilities are already heavily infected with malware and viruses that are mostly immune from conventional antivirus and malware solutions...
  • The Low Hanging Fruit of IT Security. As companies continue to struggle in today’s difficult economy, cutbacks affect all sectors of organizations. Unfortunately, IT security solutions are often not spared form the chopping block – a risky and shortsighted decision if you ask me, but perhaps that’s fodder for a future blog...

Events / Press / Analysts
  • Let's talk about the privileged. IDC Insight, ComputerWorld-UK. With all the packaged privileged identity management solutions available today, there is no excuse not to act.
  • University Medical Center Hamburg-Eppendorf Secures Administrator Passwords with Lieberman Software. Random Password Manager helps the University Hospital protect access to sensitive data by securing powerful administrator accounts on all managed systems.
  • Why are companies so bad at responding to data breaches? The Next Web. Lieberman says that the C-suite views the implementation of stringent methodology to combat potential hacking threats a lot like the way many regular people treat car insurance: why spend the money to adopt a comprehensive plan hinged upon a mere threat that isn’t guaranteed? From a cost-risk analysis perspective, a procedural defense against cyberthreats doesn’t seem worth it.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.
Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
           |    (01) 310-550-8575  |