COMMENT
Over the course of my 32 years in cybersecurity, one painful constant has been managing the risks associated with network service accounts.
Service accounts should be machine-to-machine accounts that perform repetitive, automated scheduled tasks without human interaction. Common examples of service accounts include running applications on operating systems, databases, automated backups, and network maintenance. They should have extremely limited access rights, allow no human interaction, and perform only their intended function.
Rare is the management model that adequately addresses service account issues from a security perspective. Best practices reduce the ability of threat actors to use these accounts to move laterally within the enterprise, undetected by our monitoring systems.
Service account trouble spots
Every organization has service accounts. Every organization would also like to have fewer accounts and better monitoring and control for the accounts they have. Threat actors include the security risks for service accounts and take advantage of:
-
Lack of visibility. Service accounts can have complex dependencies on processes, applications, database structures, and programmatic systems. These accounts can be extremely difficult, if not impossible, to adequately monitor and protect.
-
Difficulty in monitoring. Because service accounts are not typically associated with a specific person, monitoring logs can cause confusion and complicate incident investigations. This can result in networks being exposed to the actions and lateral movements of threat actors, while malicious actors remain completely undetected as they move through the network.
-
Complicated nature of evictions. If threat actors breach your network and you need to evict them, every single password must be changed in a short period, some more than once. This is when utility bills can really get onerous and complicated. To engage in an eviction, you must change the password of each individual service account. If you do not have a good inventory and understand the functionality of all service accounts, you should not attempt an eviction. In that case, the few service accounts that cannot be modified will likely be used by threat actors.
Common gaps in knowledge
Many times during an incident response engagement, I have noticed the following trends across organizations regarding service accounts:
-
No one knows how many service accounts exist or how they are used.
-
Passwords haven’t been changed in years and no one knows how to change it or what would break if they did.
-
No one knows why a service account exists or who owns the account.
-
Your organization does not have a process to monitor and secure service accounts.
This is why it makes sense for threat actors to gravitate towards service accounts. These accounts often have unnecessary rights and access.
Develop a global strategy
Understanding the problem is only the first part of developing a comprehensive strategy. Let us now identify the steps to resolve security issues related to service accounts.
-
Inventory all service accounts. This can be done programmatically, using PowerShell or Active Directory tools.
-
Once you have a good inventory, assign an owner to each service account. This brings human intuition and responsibility. You may find that some service accounts are no longer needed.
-
Determine the purpose of all service accounts. How is the account used and what does it do?
-
Document this information very carefully.
Finally, you can now formalize your service account program to ensure greater security and oversight. You can choose to add your service accounts in one file privileged access management (PAM) system., which would be ideal. However, remember that this can be a long and tedious commitment. While it is worth it, don’t think that it won’t take a lot of time and effort.
Next, whether or not you have used PAM, develop a formalized file audit reconciliation program on the use of each service account. This will highly depend on the owners of the service accounts. An organization should require each owner to periodically attest to the continued need for the service account (I did this every six months) and to accept the risk associated with continued use of the account. When the account owner accepts the risks associated with the service account, he changes the account password.
Ideally, you can automate this process using software platforms designed to manage risks and assist organizations governance, risk and compliance (GRC) problems. In such a system, if the automated workflow is not processed correctly, the service account will be automatically disabled. If the service then remains disabled for a pre-established period, it will be automatically cancelled. This brings accountability to the management of service accounts.
This comprehensive strategy will reduce the risks associated with using service accounts. Most importantly, the strategy ensures that all service accounts are documented and holds a specific person accountable for their continued use. This responsibility, along with routine password changes, will dramatically reduce risk and help reconcile this important and often overlooked security weakness.