Service accounts: A major security hole

By Brien M. Posey | Jun 20, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/623641/Service-accounts-A-major-security-hole.htm

One of the biggest security holes in your network is caused by service accounts. In this article, I'll explain why service accounts are such a big problem. I'll then go on to explain what you can do about this situation.

What are they?

For those who may be new to Windows NT/2000, service accounts are security accounts used by external programs that reside on the server. The purpose of the service accounts is to let the associated program log in as a service and perform some high-level task even when no one is logged directly in to the server. For example, Microsoft's Exchange Server depends on a service account for the Exchange services to be able to run.

Security problems

"It's important to point out, though, that if you already have a service account that you're using, you shouldn't try to create an account with a more descriptive name to replace the existing account. "
Service accounts are such a threat partly because of their security level. Due to the types of operations for which service accounts are responsible, these accounts often have administrative privileges or higher (yes, there are access levels higher than that of Administrator--but that's another article).

Another reason for the big security hole is that service account passwords are rarely changed. If a member of your IT staff resigns, the first thing you probably do is to disable their user account and change the password of the

Administrator account. However, the service accounts are usually left alone, because of the difficulty associated with changing their passwords. As a result, it's possible for a disgruntled former employee to log in to the system using a service account and do anything they could do if they were logged in as Administrator. Not a comforting thought.

Hard-to-change passwords

As I mentioned, service account passwords tend to be difficult to change. This is the case because if you change a service account password by using the usual method, but you don't change the references to the password, the services that depend on the password will fail to start the next time the server reboots.

To get around this problem, it's best to use meaningful service account names. For example, if you're setting up Exchange Server, you might use a service account name like EXCHNGSVC. You can then document the account name, password, and all the services that depend on the service account. That way, when someone leaves the company (or when you feel the need for a periodic password change), you can simply refer to your documentation to see what the service account in question effects.

It's important to point out, though, that if you already have a service account that you're using, you shouldn't try to create an account with a more descriptive name to replace the existing account. As I mentioned, special high-level permissions are often assigned to the service account, and just a simple account with administrative privileges may not get the job done.

Third-party help

If your existing network is in chaos and you have no idea what services the service account controls, there is a way to painlessly manage your existing service account passwords. A company called Fundamental Software has just released the 3.0 version of a product called Enterprise Configuration Manager. This product is designed to help you manage your network. Among other features, this software can search all the servers in your network for each use of a service account. You can then change the service account password within the software, and the software will automatically update every effected service on every server across your entire enterprise with the new password. You can learn more about Enterprise Configuration Manager at fundamentalsoftware.