5 Ways to Rotate Active Directory Service Account Passwords

Password security for Active Directory is becoming extremely important for companies across the globe due to the proliferation of ransomware and security breaches. One area that may not get a lot of attention but is equally important to have a solution for are service accounts.

Since manually resetting service account passwords and having to make sure you update the password anywhere the account is being used can be a lot of work, most IT companies just do not do it. There are however some alternative approaches you can take to manually rotating service account passwords. Each method has some pros and cons.

1. Create a script to automate the updating of passwords in the in the Windows Service and/or Scheduled task with PowerShell, such as in this article from ITProToday.

Pros

• Removes the manual effort for the taks required after resetting the service account password
• Free

Cons

• Requires you to create and maintain your own script which takes time and testing
• Still need to manually reset the service account password in Active Directory

2. Add an MFA (Multi-Factor Authentication) solution to your Active Directory accounts and never change the password

Pros

• Adds an additional level of security to your windows account
• Don’t need to worry about changing passwords and updating the password in Windows services and scheduled tasks

Cons

• Cost. You will need to pay per user per month for a third party hosted MFA solution
• Must enter the username, password, and MFA code every time you login unless you have a push notification solution which is generally more costly
• Even though you have MFA it is still possible to hack and if they do and the password never changes then you may be an easier target
• Does not cover when technicians leave your company. Even with MFA on the account you would at the very least want to reset the password then

3. Set the password to an extremely long and complex password, store the password in a securely encrypted password vault that only a limited amount of people has access to and never change the password.

Pros

• Never need to reset the password
• Password is difficult to hack since it’s very long and complex
• Access to the password is limited to only a few people
• Password is only accessible by the users who have permission to the vault and know the secret passphrase

Cons

• Only a limited number of users will have access to the password if it is needed. Requires those users share the password with other technicians when needed
• The password never changes and even though it is long and limited users have access if those users get infected with key logging malware the password can still be hacked

4. Use an Active Directory Managed Service Account if supported by the process or application. Managed Service Accounts have passwords that are managed by Active Directory and automatically rotated so they do not require administrators to rotate the passwords and thus they can be very advantageous. There are some restrictions so be sure to review the documentation from Microsoft or on this blog article.

Pros

• Password rotation is handled automatically by Active Directory
• Automated process
• Passwords are automatically updated in Windows Services

Cons

• Does not support scheduled tasks
• Setup time required with PowerShell
• Cannot span multiple computers. It cannot be installed on more than one computer at once
• Must be supported by the application that uses the Window Service

5. Use a third-party solution to automate the rotation of service account passwords. CyberQP offers a solution that will rotate Windows Service accounts on a specified schedule and update the password in the Windows Service and Scheduled Task then restart the service after to finalize the change

Pros

• Complete automated solution
• Supports Windows Services and Scheduled Tasks
• Easy setup. No scripting knowledge required
• Integrates with IT Glue password manager
• Saves time and money

Cons

• Paid solution

What is a Service Account?

Service Management Console

A service account is an Active Directory account that is used to authenticate a process that runs on a Windows Server or PC such as an accounting system or for SQL databases processes.

Windows Services are managed in the Services Management Console shown below.

When you open an individual Windows Service and click on the ‘Log On’ tab you can review which account is used to authenticate that Windows Service.

When you review which accounts that are used for authenticating Windows Services you will notice that some use the Local System account while others are using a specific Active Directory account with a password.

If the Local System account is specified there is no password used and therefore no password to rotate. The Local System account is a highly privileged account that is used by a number of Windows Services but is not suitable for all Windows Services.

Scheduled Tasks

Service Accounts can also be used for authenticating Windows Scheduled Tasks that are accessed within the Task Scheduler application.

Scheduled Tasks

For Scheduled tasks you must open the scheduled task click OK then type in the updated password in the pop-up window then click Ok to complete the change.

If you would like to find out more about CyberQP’ Password Rotation solution, I encourage you to visit this page. If you have any questions or would like to proceed, book a demo with a CyberQP representative.