Don't Fear the Service Account: An Easy Way to Solve Chronic Active Directory Back(side) Pain

(written with Jerry Matt , Todd Felker, CISSP and Deborah Blyth )

Every industry has a serious challenge with Active Directory (AD) and Service Accounts. With 80% of modern breaches involving compromised identity credentials, we’re realizing that the inherent lack of security built into Active Directory, along with (what is usually) years of poor AD hygiene has left a gaping hole for bad guys to run through on their way to stealing data and detonating ransomware.

It doesn’t have to be that way.

One Chronic Problem: A pervasive problem with Active Directory is service accounts. While my experience is mostly with healthcare organizations, my conversations with government, education, military, and commercial technology leaders tells me this is a wide-spread issue. Turns out almost every org has a LOT of service accounts.?

We usually don’t have a complete inventory of those accounts, and they’re not well governed, managed, or even named consistently. The inventory builds up over the years – and our lack of documentation means we may not know what many of the service accounts actually DO. As a result, we’re afraid to mess with them, for fear we’ll break an operational system that depends on the account.?

While security professionals drive regular password changes for every other account type, they often hesitate enforcing those changes on service accounts.

Service account password changes are especially difficult, because the password must also be changed anyplace else that password is stored (any application or process).? Changing the password usually means something is going to break, but until the deed is done, it’s difficult to know what will break, or how seriously the outage will affect operations. The result: service account passwords aren’t managed like “regular” accounts, creating significant security exposure.

If that wasn’t bad enough, service accounts are often configured with elevated administrative privileges. That means that if an adversary can find one of these accounts – as they’re moving quietly through your network during the initial stages of an attack – they’ve struck gold.?

Even if you start fixing this problem immediately – beginning with all newly created service accounts (following rules 1-6, below) – you’ll STILL have a bunch of older service accounts in AD that have to be found and remediated. Accounts that were created by AD administrators and others who came before you and left no documentation. But you can fix it.

The Academic Solution: How to Improve Security of Service Accounts

1. Identify and create an inventory of all Service Accounts?
2. As part of the inventory, document EVERYTHING that Service Account is being used to support – every application and other service supported
3. Validate the Service Account is necessary; If not, turn it off
4. Validate the Service Account is configured properly: for example, interactive log-on is not allowed; and the account has the least-privilege possible to do the job as intended
5. Put all the governance processes (naming conventions, etc) in place to make long-term identification and management of those accounts easier
6. Put a password rotation policy/process in place for all Service Accounts

I know, I know --? that work feels nearly impossible given those old undocumented (and kind of scary) service accounts – they’re a millstone around your neck. You’re afraid to touch them because it might cause an unscheduled outage. But you have to do something, right?

The PRACTICAL SOLUTION:

Do a Security Identity Assessment (and an Active Directory Service Account Risk Assessment) with a security partner you trust. It’s the fastest way OUT of the Service Account quandary.

First, make sure to ask the partner HOW the assessment program was built. You’ll want assessments designed BY Active Directory and Service Account experts/leaders who’ve been in your shoes, and who’ve found the best route to immediate protection, and long-term resolution.

Next, make sure the output of the Assessment gives you all the info you need to secure your Service Accounts, including:

• Identifying the risk associated with existing Service Accounts; the riskiest accounts must be identified so you can start this work with a prioritized list
• A COMPLETE LIST of every AD Account behaving as a Service Account
• And, detailed documentation on what every Service Account is doing -- the resources they’re tapping – every process, every application, etc.

With THAT insight (and the right partner service/capability – like CrowdStrike’s Identity Protection), you can:

• Secure your org IMMEDIATELY by creating simple conditional access policies, and regaining full control over every service account
• Get all necessary details to quickly investigate anything that looks suspicious
• Get all the info needed to develop a Service Account Security Improvement Plan. And the ability to take a breath and do the project methodically -- knowing that you’re protected immediately (through those conditional access policies), while you execute the remediation work (1-6, above).
• Finally, with CrowdStrike’s Identity Protection capability, you’ll be able to do all that, AND run a checkup on service accounts, anytime.?

For Falcon Complete customers, CrowdStrike can bring Identity Protection to you as a fully-managed service. Another thing off your plate, so you can leverage your security team against the rest of the work they're doing to keep us all safe.

You don't have to worry about service accounts anymore -- let me show you how easy this can be -- just yell, I’m here to help!

----------

Drex DeFord has broad experience as a thirty-plus year senior healthcare executive, including his "first career" as US Air Force officer (hospital administrator/CIO), culminating as Chief Technology Officer for Air Force Health’s World-Wide Operations. He also served as CIO at Scripps Health, Seattle Children’s, and Steward Healthcare.?He’s Past-Chair of CHIME’s Board of Trustees, and has served on the HIMSS National Board. Over the past several years -- as an independent consultant (and “Recovering-CIO”) -- he helped lead trusted health systems, payers, associations, vendors, and investors through their work on healthcare's toughest problems.?In 2021, Drex joined CrowdStrike Healthcare as Executive Strategist.?He’s passionate about the mission to stop breaches, and better secure clinical, research, and healthcare business operations.