Account Census: Creating a Complete Inventory of Service Accounts in Your Domain

Maintaining control and visibility over service accounts is crucial for any organization’s identity security posture management. These privileged accounts are often created to automate system functions and then forgotten, creating security holes that can be exploited. Not knowing the full scope of the service accounts and their activity on your network and servers leaves gaps that cybercriminals actively target.

This article provides a step-by-step guide for cybersecurity professionals to gain a complete inventory of service accounts across their Active Directory domain and Windows servers.

The lack of documentation of service accounts presents a major weakness, and this process will contribute to the closure of that gap by creating a full accounting of accounts with privileged access.

Properly managing and monitoring service accounts is a key way to strengthen defenses and avoid becoming the next headline.

How to Generate a List of All Service Accounts in Your Domain

To get a complete inventory of service accounts in your domain, you need to query your domain controllers. Service accounts are used by Windows services, IIS application pools, SQL Server, and other applications to access resources. However, without proper documentation and oversight, orphaned service accounts can pose a security risk.

Generate a list of all domain service accounts by running the following PowerShell command on a domain controller:

Get-ADUser -Filter 'ServicePrincipalName -like "*"' -Properties SamAccountName,ServicePrincipalName | Select-Object SamAccountName,ServicePrincipalName | Export-CSV C:\Temp\ServiceAccounts.csv

This will:

• Use the Get-ADUser cmdlet to retrieve all Active Directory user accounts
• Filter the results to only return users that have a ServicePrincipalName attribute (which indicates it is a service account)
• Export the SamAccountName and ServicePrincipalName properties to a CSV file called ServiceAccounts.csv

Open the CSV file to view the list of service accounts. The SamAccountName indicates the account name, and ServicePrincipalName shows the name of the service or application that uses the account.

Review each service account to determine whether it is still in use. Check with application owners to verify the account is still required. Disable or delete any unused service accounts to reduce the risk of compromise.

Document all active service accounts, including details about the owning application or service. Establish a process to review service accounts regularly to ensure the documentation stays up to date.

Taking the time to find all service accounts in your domain and implement oversight procedures is an important part of an overall security strategy. Undocumented and abandoned service accounts provide easy access that can be exploited by malicious actors. Maintaining an accurate register of all service accounts allows you to properly manage and monitor them.

Verifying Service Accounts and Their Permissions

Once service accounts have been identified, it is important to verify that their permissions are properly scoped. Overly permissive service accounts represent a major security risk, as they can be leveraged by malicious actors to gain broad access within the network environment.

Reviewing Service Account Permissions

The first step in verifying service account permissions is to determine what level of access each account has been granted. This includes:

1. Reviewing group memberships. Service accounts should only belong to groups that are directly relevant to their function. Accounts belonging to overly permissive groups like “Domain Admins” should be scrutinized.
2. Analyzing NTFS file/folder permissions. Service accounts should only have permissions on files and folders that are essential to their intended use. Full control or modify permissions on sensitive directories are red flags.
3. Checking for privileged account types. Accounts with administrative privileges like “Enterprise Admins” or “Schema Admins” require close review. These highly privileged accounts are frequent targets of compromise.
4. Reviewing delegation rights. Service accounts should not have “Act as part of the operating system” or “Impersonate a client after authentication” permissions, as these can be used to gain elevated access.
5. Analyzing SQL Server, SharePoint and other application permissions. Service accounts with db_owner or farm admin roles have broad access and should be closely reviewed. Only the minimum permissions required for the account’s function should be granted.

For any overly permissive service accounts identified, permissions should be reduced to the appropriate level required for the account to operate. If the business justification for an account’s broad access is unclear, it may indicate the presence of an unauthorized or “shadow” account that should be disabled.

Rigorously verifying and reducing service account permissions is a key step in limiting the potential impact of account compromise. By following best practices for service account permission scoping and least privilege, organizations can significantly reduce risks related to service account access.

Ongoing Monitoring and Management of Service Accounts

Regular monitoring and management of service accounts are crucial for maintaining security and compliance. Once the initial audit of service accounts is complete, ongoing review processes must be implemented to ensure no accounts are overlooked or misused.

Scheduled Reviews

It is recommended that service accounts be reviewed on a quarterly basis at a minimum. During reviews, check that account passwords are complex and unique, unused accounts are disabled or deleted, and that account permissions and access rights are appropriate and necessary for the account function. Multi-factor authentication should be enabled on all service accounts to provide an extra layer of protection.

Monitoring Account Usage

Continuously monitor service account activity and login events. Watch for anomalies like logins from unknown devices or locations, logins during unusual hours, or elevated account permissions. Monitor for signs that a service account may have been compromised like installation of unknown software or configuration changes. Alerts and reports can be configured to notify administrators of questionable account activity requiring review.

Documentation

Well-documented service accounts are easier to properly manage and audit. Documentation should include details like the account purpose, ownership, permissions, devices, and software accessed. Documentation makes it simpler to determine if any account changes were legitimate and authorized. Lack of documentation hampers the ability to thoroughly review service accounts and can increase security risks.

Account Ownership

Ensure that all service accounts have a designated owner, even for automated processes. Account owners should review access and usage regularly to verify accounts are still required and being utilized properly. Unowned or orphaned accounts are more prone to abuse or neglect since no one claims responsibility for managing them.

With routine attention and oversight, service accounts can be secured and compliance maintained. But without ongoing monitoring and management, the hard work of the initial account audit will be quickly undone as security holes develop and access rights spiral out of control. Establishing a regular schedule to review accounts, monitor activity, update documentation and verify ownership is key.

The Importance of Knowing All Your Service Accounts

Service accounts are administrative accounts used by Windows services, IIS application pools, and scheduled tasks to access resources. Because service accounts often have elevated privileges, they are a common attack vector for hackers and malicious insiders.

Not knowing all the service accounts in your domain and which resources they access leaves your organization vulnerable to unauthorized access and data breaches. Regular service account audits are a proactive security measure required to ensure compliance with regulations like PCI DSS and to minimize your attack surface.

• Service accounts provide a way into your network. Hackers frequently target service accounts with weak passwords or excessive privileges to gain initial access. Once inside, they use the account to access data and move laterally.
• Orphaned service accounts are vulnerable. Service accounts no longer associated with a service or task but still active in AD can be targeted for hackers. It’s critical to identify and disable orphaned accounts.
• Privilege creep can happen over time. Service accounts may accumulate additional access rights as new services and systems come online, granting the accounts more privileges than they actually need. Audits help prevent privilege creep by ensuring accounts have the least privilege access.
• Compliance at risk. Regulations like PCI DSS require strict control and monitoring of administrative accounts like service accounts. Failure to audit service accounts regularly puts your compliance at risk and can result in penalties.

The Risks of Not Having a Full Service Account Inventory

Having an incomplete inventory of service accounts in your Active Directory environment poses serious risks to your organization. Unauthorized access to service accounts can result in privilege escalation, allowing malicious actors to gain administrative rights and access sensitive information. As a result, data breaches, service interruptions, and compliance issues may occur.

Service accounts are often overlooked in audits and security reviews since they are non-human accounts. Yet they often have the elevated privileges required to run applications and services. In the event that these accounts are compromised, adversaries will have an easier time moving laterally within the network and gaining administrative access.

When service accounts with broad access are compromised, data breaches are more likely to occur. When an attacker gains access to a system, sensitive information can be accessed and exfiltrated, including customer data, intellectual property, and financial records. Regulatory compliance is also put at risk if auditors discover unknown service accounts with excessive privileges.

When service accounts are misused to tamper with applications, servers, and network devices, outages and disruptions can occur. Malware or ransomware deployed via a compromised service account can cripple systems and impact business operations.

Performing a comprehensive inventory of service accounts allows organizations to implement appropriate controls, thus reducing the risk of unauthorized access, privilege escalation, data breaches, and service disruptions. Continuous monitoring and review of service accounts should be incorporated into any Active Directory security program. Failure to do so provides easy targets for malicious actors to exploit.

How Silverfort Finds and Protects All Service Accounts

Silverfort understands the importance of knowing and managing all service accounts. Our comprehensive solution creates a complete inventory, ensuring enhanced security and compliance.

Our solution proactively identifies and protects service accounts, mitigating risks from unauthorized access and privilege escalation. We go beyond audits to address non-human accounts.

Silverfort effectively manages elevated privileges required by service accounts. Regular monitoring and review significantly reduce data breaches, disruptions, and compliance issues.

Through continuous monitoring and control, we detect and respond to threats swiftly. Silverfort not only prevents unauthorized access but also prevents lateral movement, ensuring malicious actors cannot gain administrative access.

We understand the high stakes of security and compliance, so our solution eliminates easy targets while strengthening your Active Directory security program and staying ahead of threats.