Service accounts, frequently used with applications, systems and web services, are a critical component to operations of information technology. The ever-evolving threat landscape for service accounts has changed the way organizations must protect them. This post describes the fundamentals of service accounts, the risks they pose and the challenge for management.
What are service accounts?
Service accounts are credentials (e.g. user id and password and API keys) that are used by “non-human” actors, such as applications, systems, web services and/or scripts. They typically have highly privileged permissions to computer systems, web services/APIs, applications and/or databases.
What are the risks with service accounts?
Given the nature of access for service accounts, they are valuable targets for exploitation. There are significant risks which differ from normal, user accounts that make them unique.
- Service accounts can require privileged access to servers, applications and databases. By compromising a service account, attackers get the kind of access they need to move vertically or laterally across the network to gain access to sensitive or restricted data. Often, service accounts are found as members in a domain admins OU or local admins for servers, violating the principal of least privilege (a concept where access rights for an account are limited to bare minimum permissions) in order to simply allow the service to run.
- Service accounts are used by services or applications, not humans, to perform activities, and as a result, multi-factor authentication (MFA) cannot be applied and passwords are often set to never expire. MFA requires human interaction when entering credentials to authenticate to an application or system. Because of this, service accounts cannot apply MFA as a security control, making these accounts a high value target for attackers. Further complicating this, because the frequent rotation of service account passwords may cause certain activities to be unable to run, organizations often accept the risk of not changing passwords over the risk operations will be hindered. One common threat to organizations that fail to rotate service account passwords is Kerberoasting, which is an attack method that exposes a weakness in the Kerberos protocol for Windows services.
- Some applications have their service account credentials exposed in easy-to-find places. An example is open source sharing of source code (e.g. GitHub), if developers do not remove credential information from source code before posting or ensure rotation of credential secrets (i.e. passwords or keys) those credentials are at risk of being used by an attacker. Additionally, it is common for service account credentials to have default passwords and/or credentials embedded in configuration files unencrypted.
Balancing security and operations
Service accounts are typically used to automate processes — sometimes critical processes — of an application. Because of this, tampering with service accounts can disrupt operations, impacting the organization’s ability to generate revenue. Additionally, because of the broad use of these types of accounts, it is a challenge for organizations to grasp the full scope of service accounts within their environment. In almost all cases, support staff and administrators do not have a complete account of all services running under the context of service accounts. Due to the pervasiveness of services accounts within organizations and the increasing risk of these accounts as a target for attackers, there is heightened importance to scan the environment identifying unknown accounts and accounts that are no longer being managed effectively.
Top 5 Considerations when Managing Service Accounts
Service accounts must be governed and managed effectively to address both security and operational risks. Organizations should prepare a plan of action to protect these accounts.
1. Implement PAM technology with effective governance and sponsorship
To address the complexities of managing service accounts, organizations invest time and money on a Privileged Account Management (PAM) solution. While service accounts can be managed with a PAM solution, not all service accounts perform the same actions and cannot be managed the same. Developing strong governance (including discovery, credential lifecycle / management, and monitoring) over service accounts helps organizations to have full visibility into and manage all of the service accounts within their environment. Having a PAM solution is a first step, but without proper sponsorship to establish governance and understand complexities of protecting service accounts, operational risks may outweigh security risks to implement effective controls.
2. Develop complete inventory of service account passwords and dependencies
To maintain the full scope of service accounts across the organization, a complete inventory of all existing service account passwords and dependencies should be developed. At a minimum, the following steps should be taken to develop and maintain this inventory:
- When new software is installed, ensure that all service accounts are identified and protected with proper procedures and controls
- Establish a formal onboarding process for service accounts
- On a periodic basis, use a tool that will scan the environment to discover service accounts across the organization.
- Establish roles, responsibilities and ownership of service accounts.
3. Establish effective governance model to manage service accounts
When asked about policies, standards and procedures for protecting service accounts, organizations often point to generic access control or privileged account management policies or standards that do not contain specific controls for service accounts. It is important to build from existing policies and standards to develop specific controls for managing service accounts and their passwords. Additionally, organizations should ensure an exception process is put in place for service accounts that cannot meet security requirements, such as those that cannot require password expiration / rotate requirements, or cannot meet complexity or monitoring requirements.
4. Apply proper technical controls to manage service accounts
In addition to arming the PAM program with the proper people and processes to manage service accounts, it is important to have necessary technical controls in place. As mentioned before, a PAM solution is key in order to vault and manage credentials to rotate and protect from visibility by insiders at any organization. Other solutions to consider include disabling interactive login, or preventing users from inputting usernames and passwords interactively to login with the account, and setting up monitoring to identify abnormal behavior on service accounts.
5. Ensure awareness and training around managing service accounts
Security stakeholders, application and IT teams, audit and other technical SMEs need to understand their role in managing service accounts. As mentioned before, in many instances service accounts contain elevated privileges, which make them very sensitive accounts that pose a high risk to the organization. Management needs to have full visibility into all of the service accounts within their environment and the risk that they pose. Application and IT teams need to understand risks of onboarding new software. Audit needs to understand processes to manage service accounts so that they can identify any areas of vulnerability. Technical SMEs need to be trained on the impacts that service accounts can have within the environment. Finally, when deploying a PAM solution to assist in management of service accounts proper technical documentation is needed (e.g. technical integration patterns and standard operating procedures) so development and engineering teams know how to effectively onboard, protect and use credentials managed in a PAM solution.
Service accounts bring about different risks from traditional, interactive, human accounts that need to be considered when managing accounts with highly elevated permissions. Adequate management of service accounts requires strong security controls that balance both security / risk and operational considerations. Protiviti has experience implementing security controls that take into account the 5 considerations, including privileged account discovery and assessing processes around managing privileged accounts. Past engagements include helping to set up PAM programs and selecting and implementing PAM solutions to include management of administrator accounts (“human-used”) and service accounts (“non-human used”).