Subscribe to Windows IT Pro
November 18, 2010 12:01 AM

Service Accounts Can Be Secure Yet Have Non-Expiring Passwords

Kevin Willenborg
Windows IT Pro
InstantDoc ID #128799
Rating: (74)

Deny logon locally is a Group Policy Object (GPO) setting that should be used for all service accounts because it shuts down one avenue of exploitation—an interactive logon (e.g., a logon using Ctrl+Alt+Del) to a system with that account. Most security teams frown on allowing accounts with non-expiring passwords to exist, but it's often near impossible to do without having some. One of the biggest concerns people have is the account could be used anywhere on the network, leading to abuse of it. To satisfy security teams and auditors, I came up with a simple way to comply with this security practice but still have service accounts with passwords that don't expire. Here's what you need to do:

  1. In the Active Directory (AD) domain, create a security group named something like DenyLogonsLocal. In this new group, you'll want to include the IDs that you’re planning to run a service or a process with but don't need to be used to interactively log on to any machine in the domain.
  2. From a machine on which Group Policy Management Console (GPMC) is installed, create a GPO. You can disable User Configuration because it's not needed.
  3. Navigate to Windows Settings\Security Settings\Local Policies\User Rights Assignments\Deny logon locally. Enter the security group you created in step 1, and save the GPO.
  4. Make sure the GPO is set to authenticated users. Because all the computers in the domain are part of authenticated users, it will apply to all workstations and servers.
  5. Link this GPO at the domain level with no override (ensures someone doesn't undo your work at a lower-level organizational unit—OU) and with Computer Configuration enabled.
  6. Allow time for the workstations and servers to apply the new GPO, then attempt to do an interactive logon from a workstation or server using one of the IDs you made a member of the security group created in step 1. The logon attempt should fail.
  7. If you have more than one domain, you can put groups from the trusted domain in the GPO. However, you might want to make a GPO like this on both sides (in case of two-way trusts).

I recommend that you only grant the access an account needs rather than automatically giving it Administrator access, as the majority of services and processes can be run without Administrator access. For those accounts that need Administrator access, you can still add IDs in local administrator groups on servers or on workstations to support your process and know the IDs can't be used for interactive logons. In the end, both the IT and security teams are closer to a more secure environment.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Chris S
    2 years ago
    Dec 02, 2010

    BB is correct in the assertions made. But there still needs to be more. One only needs to scan the news headlines to know that admins snoop, abuse privileges on the job and when fired, and later, just to see if the account is still active. This in addition to anyone else who has ever overheard the password and the fact that these accounts do have some sort of system control and access to sensitive data (even if only via a network connection) makes them prime targets for malicious intent or mistakes. The worst part is even with a small group of admins knowing the passwords, there is still no control short of firing the entire group if something were to go wrong with the account. Regular password changes are necessary for these accounts. The problem is of course that not everyone is certain where these accounts are used and it can take many hours to update a password properly and verify and document it. There are products available that provide random password management and discover and propagate the password changes for these service accounts to all locations such as those in configuration files, services, tasks, applications etc. The best part is, no one knows what the passwords are unless they go to this system to recover it which generates an audit trail around who what when where and why which makes auditors happy, increases network and data security, fills a huge audit hole regarding attestation for who had access to the accounts, and provides for reporting at the touch of a button. Then, when someone leaves on good or bad terms, there is not a question about what knowledge are they taking with them and did we remember to change the password.

  • Brown
    2 years ago
    Dec 01, 2010

    I agree with the GPO to add group to the Deny logon locally policy to prevent use of the account to directly access a system. This does not however provide enough restriction for these types of accounts. Designated "Service Accounts" are granted to be used to configure Windows services to run as this account locally or to be used for network service connections such as database credentials within web applications with back-end databses. Another key configuration we do with the service accounts is to add it to a "service account group", set it for primary group, and remove user object from default "domain users" group. Many domain and web ressources are granting access to "domain Users" group by default and never changed. The service account with the shared password and password never expiration allows access to resources that is not auditable to specifc users.
    Service accounts should belong to a dsignated domain group only, password provided to a limited defined user base, and password reset each time a member of that user group changes.

    BB

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.