Back to Basics: Service Account Management 101

Service accounts don’t have to be a nightmare. Get them under control now.

Service accounts are typically used in operating systems to execute applications or run programs, either in the context of system accounts (high privileged accounts without any password) or a specific user account, usually created manually or during software installation.  On Unix and Linux they are often known as init or inetd, and can also launch programs.

Can anyone remember who installed this application? And what was the service account password?  All too frequently asked questions!

Service account management is a task that’s all too often overlooked as the accounts can be a pain for organizations to control. Especially across multiple accounts for different services, tasks, and other applications, and in sync—it’s time-consuming and error-prone when done manually. Service account password management is another challenge: administrators can’t safely change a service account password if they don’t know where it’s used without the risk of bringing down other applications.

Frequently, in software installations, the password for the service accounts either remains the default vendor password (easily found on the internet) or is in the memory of the consultant who installed the software.

See how to protect your service accounts before it’s too late.
Download our free eBook: Service Account Security for Dummies

As a result of these bad practices, service account and application passwords are often set to never expire and subsequently remain unchanged year after year. Failing to change service account passwords represents a significant security risk because service accounts often have access to sensitive data and systems.

There is no shortage of these risky accounts. Most organizations have more service accounts than employees, sometimes up to five times as many!  The accounts are often provisioned without any automated controls set in place. If they are provisioned without any robust process in place then that begs the question: is anyone keeping track of these service accounts when they are no longer needed?

This is, unfortunately, common in many organizations, and when it comes to securing the organization against cyber-attacks, it’s a really bad practice. I have seen so many incidents in which the IT Operations team is running around trying to figure out the service account password during a failed upgrade, patch deployment, maintenance mishap, or even worse—during a major security incident. At this point, it is already too late, with end users and the executive team screaming for answers.

Because service accounts are often managed manually from cradle to grave, they are prone to errors.

Here’s an example: A high-powered spreadsheet experience

I was once hired by a state-of-the-art power station. It was relatively new, fully automated with remote controls, and they wanted me to review its cyber security protection and security control.

The physical security was impressive. The security system could tell when visitors were 5 minutes away, gave security advanced warning for when visitors should arrive, what they would be driving, and how many people were in the vehicle. If visitors arrived 1 minute before or after the prediction, they would have to deal with armed guards.

All physical doors had access controls, including the engine rooms. Once inside the engine rooms, each engine had its own control valves to physically change pressure and water flow. The control valves were not secured, although the risk of tampering was low. Command and control via the programmable logic controllers (PLCs) and SCADA control systems all featured the latest and greatest cyber security advanced threat protection, with millions spent to prevent cyber security attacks.

They had built themselves a physical and cyber fortress.

Then it happened. Sitting on the table next to the controls was a printed page. It contained all the IP addresses, usernames, and passwords for each control station and the service accounts. They had not been changed in more than four years and had all been installed by the manufacturer with default vendor credentials.

Anyone could have made copies of this list: visitors, former employees, or even contractors.

Anyone could have taken a smartphone picture and then instigated an attack at their leisure. The power station never would have seen it coming.

A Privileged Service Account with a default vendor password can be the difference between a simple perimeter breach and a cyber catastrophe

Do not be another statistic. Get in control of governing your service accounts right away. Prioritizing this will not only help save you time and money; it will also improve your cyber security and reduce your risk of a cyber-attack.

Like any IT security measure designed to help protect critical information assets, managing and protecting service account requires both a plan and an ongoing program. You must identify which service accounts should be a priority in your organization. This Privileged Access Management Checklist provides a step-by-step guide that global organizations can use to establish their own service account management program.

Define

Define and classify service accounts. Every organization is different, so you need to map out what important applications and programs rely on data, systems, and access. One approach is to reuse a disaster recovery plan that typically classifies important applications and specifies which need to be recovered first. Make sure to align your service accounts to your business risk and operations.
Discover

Discover your service accounts. Use automated PAM software to identify your service accounts, and implement continuous discovery to curb service account sprawl. This helps ensure full, ongoing visibility of your service account landscape crucial to combating cyber security threats. Try our free Privileged Account Discovery Tools for Windows or Unix.

Manage and protect

Protect your service account passwords. Proactively manage, monitor, and control service account access with password protection software. Your solution should automatically discover and store service accounts; schedule password rotation; audit, analyze, and manage activity; and monitor password accounts to quickly detect and respond to malicious activity.

Monitor

Monitor service account activity. Your PAM solution should be able to monitor and record service account activity. This will help enforce proper behavior and avoid mistakes by employees and other IT users because they know their activities are being monitored.

Detect abnormal usage

Track and alert on service account behavior. With up to 80% of breaches involving a compromised user or privileged account, gaining insights into service account access is a top priority. Ensuring visibility into the access and activity of your service accounts in real-time will help spot suspected account compromise and potential abuse.  For example, monitoring when a service account has been used to log on to a system.

Respond to incidents

Prepare an incident response plan in case a service account is compromised. When a service account is breached, simply changing service account passwords or disabling the service account is not acceptable. If compromised by an outside attacker, hackers can install malware and even create their own service accounts or other privileged accounts.

Review and audit

Audit and analyze service account activity. Continuously observing how service accounts are being used through audits and reports will help identify unusual behaviors that may indicate a breach or misuse. These automated reports also help track the cause of security incidents, as well as demonstrate compliance with policies and regulations.  Determine if service accounts are still required, review security controls, and update expiration dates.

With a robust Privileged Access Management solution you can really get in control of your service accounts.