Perils of 'Static' Windows Service Accounts

1 comment
Windows Service Accounts, used by the system programs to run application software services or processes often possess higher or even excessive privileges than normal user accounts. These are indeed very powerful accounts that run critical business processes and services. Many third-party services or scheduled tasks or processes might make use of the same service account, resulting in a complex interconnection.

In many production networks, it is not uncommon to find service accounts with 'static' credentials. Service accounts are normally forgotten after configuring them initially. Passwords are not changed for ages due to the sheer complexity of the service account password reset process. The new password has to be updated in all the associated services or processes. Otherwise, many services will simply not work. Unless the administrator follows the best practice of meticulously maintaining a master list of all service accounts and their dependencies/associations, password change of service accounts will prove herculean.

Static service accounts make the enterprise a haven for hackers! Malicious programs and hacking tools can decipher the service account credentials and wreak havoc on your network. Windows Security Experts often say: "service accounts are one of the simplest ways to turn a compromise of one computer system into a compromise of an entire network".

Properly managing the credentials of Windows Service Accounts is one of the crucial aspects of protecting the Windows Network.

Manual efforts to achieve this is not only time-consuming and mind-boggling, but also error-prone. The best way to ensure security is to automate the Windows Service Account password management.

ManageEngine Password Manager Pro helps achieve this with ease.

Password Manager Pro has the ability to identify the service accounts associated with a particular domain account. While resetting the password of a domain account managed in Password Manager Pro, it will find out the services which use that particular domain account as service account. It will automatically reset the service account password when the domain password is changed.

In certain cases, services corresponding to the service accounts require to be restarted for password reset to take effect. The windows service account password reset feature of Password Manager Pro helps achieve this precisely, fully automated.

You can create scheduled tasks to change the passwords of domain accounts and their associated service accounts in fully automated fashion, in accordance with the IT policy of your enterprise. You need not worry about the service account dependencies.

Try Password Manager Pro now!

1 comment:

  1. Hi all,

    Typically, specific windows domain accounts are used as service accounts in services running in Windows servers, that need network access. Password Manager Pro has the ability to identify the service accounts associated with a particular domain account. Thanks!