On a given day, thousands of application services run on a typical corporate network using service account passwords. These application services include Windows Services, scheduled tasks, batch jobs, Application Pools within IIS, and they often have a high level of network privilege, connecting across the network to databases, file systems, and network services.
Although recent improvements in Windows Server 2012 R2 allow access to these accounts without the use of passwords, most organizations have not yet upgraded to Windows Server 2012 R2, leaving a bulk of potential accounts at high risk for attack or abuse.
Control managed service accounts
Service accounts are high-risk privileged accounts used by many different applications. Often, system administrators will lose track of the details for these accounts. This creates a major difficulty in reaching compliance requirements because:
- They can’t ensure strong password strength across all accounts.
- They can’t control access to service account passwords.
- They can’t change passwords on service accounts without knowing the applications that are dependent on that credential for daily operation.
The first step of service account management is to inventory all service accounts and where they are used. This can be done using Secret Server’s Service Account Discovery. Discovery for service accounts needs to be an ongoing, automated process to maintain an accurate inventory because administrators may deploy new services at any time using new or existing service accounts.
Change service account passwords
Once the inventory of service accounts is complete, it is important to change service account passwords. This can be easily automated by Secret Server. Once Secret Server is configured to change service account passwords, it will automatically update all the inventoried locations and even restart each dependent service, and execute any custom scripts needed for legacy applications, to ensure all applications dependent on the service accounts are properly updated.