How to manage and secure the Active Directory service account

How to manage and secure the Active Directory service account

In a typical Active Directory environment there are many different types of accounts. These include a user account, a computer account, and a specific type of account called a service account.

Service account is a special type of account serving a specific purpose, serving services and applications in the environment. Service accounts are also targeted by hackers in cyber security attacks.

So what is a service account? What privileges does it have on a local system? What network security risks are associated with service accounts? How can the IT administrator find out weak passwords that cannot be expired in Active Directory for service accounts?

In this article, we will work with you to answer the above questions.

What is Windows service?

As mentioned above, specific Active Directory accounts serve different purposes in Active Directory Domain Services (ADDS). You can assign an Active Directory account as a service account, a special-purpose account that most organizations create and use to run Windows services on Windows Servers in their environment.

To understand the role of a service account we need to know what Windows services are. Windows Services is a component of the Microsoft Windows operating system, both client and server, allowing long-running operations to execute and run for as long as the server is running.

Unlike applications executed by end users, Windows services are not executed by the end user who is logged on to the system. Services run in the background and are started when Windows starts, depending on the service’s configured behavior.

What is a Windows service account?

Although not run interactively by the end user, Windows services still need an account to allow the service to run in the user’s specific context with special permissions.

Like any other process, a Windows service has a security identifier. This identifier identifies the rights and privileges that it is inherited on the local server and across the network.

Keep in mind that with this security identifier a service account can damage the local system where it is running and across the network. When following a best practice model with few privileges associated with the service, the account ensures that the service account is not granted undue permissions on both local servers and the entire network.

Windows Services can run under a local Windows user account, Active Directory domain user account, or a special LocalSystem account. So what are the three types of accounts that are different from each other?

  • Local Windows user account : A local Windows user is a user that exists only on the local Windows Server or client operating system’s SAM local database. This account is meant only locally and has nothing to do with Active Directory in any way. When using a local Windows account for a service there will be some limitations. These include the inability to support mutual authentication in Kerberos and the challenges of directory-enabled services. However, the local Windows Service account cannot damage the local Windows system. Local Windows users are limited to being used for a service account.
  • Active Directory domain user accounts : The domain user accounts in ADDS are the preferred type of account for Windows Service. It allows to take advantage of various security features included in Windows and ADDS. Active Directory users can assume all the local and network-wide permissions as well as permissions granted to the groups to which they join. Besides, it can also support mutual authentication on Kerberos. You should note that the Active Directory domain user account used for Windows Service should never be a member of the Administrators group. When the domain account is selected to run Windows Service it will be given the right to log on as a service right on the local computer where the service is launched.
  • LocalSystem Account : Use the LocalSystem account as a double-edged sword. The advantage of the LocalSystem account for Windows Service is that it allows the service to have unlimited access to the Windows system, helping to prevent problems with interacting with Windows components. However, this is also a major disadvantage and disadvantage in terms of security because this service can damage the system or become the subject of a network attack. If controlled by hackers, Windows Service running in LocalSystem will have system-wide administrator access.

The Windows Service account is an important account in an Active Directory environment. Choosing the correct user account to run Windows Service helps to ensure that the services work correctly and have the appropriate permissions. So what behaviors would increase the network security risk in Active Directory?

Behaviors that increase cybersecurity risks

For the purpose of reducing administrative burden, the service account password is usually set to never expire. Some agencies and organizations also share the same password for many service accounts. This saves them from having to remember too many passwords.

However, these two behaviors increase the risk of network security with an Active Directory environment. Firstly, when the password is not expired, the system will stick with a password for a long time, potentially causing a very high risk of leakage. Second, sharing a password will cause the entire system to be attacked when only one account has a password leak.

So how do organizations and businesses solve the above problems?

Manage and maintain service accounts with Specops Password Auditor

Specops Password Auditor is a free tool that solves the security issues of your Active Directory account. It can quickly identify accounts, including service accounts, whose passwords are set that do not expire or overlap with each other.

In the screenshot below you can see Specops Password Auditor has pointed out the problem:

  • The password was leaked
  • The password is identical
  • Password does not expire

Specops Password Auditor also has many different categories, detailing the account issues. Below are details about accounts whose passwords don’t expire.

With Specops Password Auditor you can easily identify and handle the security issues of your Active Directory account. If you want to try it out, you can download Specops Password Auditor at the link below:

  • Download Specops Password Auditor

I wish you success and invite you to refer to other great tips on Quantum: