Service accounts are the backbone of Active Directory environments. They often run privileged workflows and are necessary for backups, virtualization infrastructure, SSO and much more. Protecting them is super important.
Ethical Threat Insight: How to Harden Service Accounts
After an attacker has gained access to your environment, their next objective is to elevate their privileges.
They do this for an number of reasons, such as:
To obtain access to backups (so they can delete them), making it difficult for you to recover. This makes it more likely that you will pay a ransom to get your data back
To pivot or move laterally in order to inflict as much damage as possible via ransomware
Now, one of the common techniques threat actors use to elevate their privileges is via weak service account passwords.
Service accounts are Kerberoastable, the hash for those accounts can be taken offline and attempted to be cracked.
If the account has a weak password, it will be cracked. It’s not uncommon for us to crack 10, 12, 15 character passwords during internal pentests.
I’ve even cracked 20-character passphrases before!
So how do you harden your service accounts?
Use Managed Service Accounts - these are special accounts in Active Directory. The passwords are managed for you by AD. Here’s a great post by Ned Pyle that explains Managed Service Accounts in more detail than I can share here.
Rotate passwords strategically - what I mean here is, if you don’t need to rotate the password, don’t. Unless you suspect compromise or the password has been leaked or used elsewhere. Also, it goes without saying but, the password should be unique and long. Like as long as possible. Use a secure password generator.
Monitor for abnormalities - service accounts are often highly privileged. They allow unfettered access in most environments. But that doesn’t mean they don’t have a pattern. Monitor for abnormal logins like when the account authenticates outside of typical time windows or when it’s used on hosts it doesn’t typically login to.
One last bonus tip is to document where your service accounts are being used and its purpose.
One of the worst issues I’ve seen is when a service account password is updated and one location the account is used gets missed, brining production systems or applications down. That’s no fun (:
I’d love to hear how you’re tackling the challenge of protecting service accounts. Reply and let me know.
If you’re curious what else you can do to harden Active Directory, check out this webinar I did.
All the best
Spencer Alessi
PS - What topics do you like me to share about the most? Reply and let me know.