The Security Risks of Service Accounts: You Can’t Protect What You Can’t See

Service accounts play an important role in today’s enterprise environment. These non-human or machine-to-machine (M2M) accounts are used by applications, systems, and services to perform important automated tasks in a network. They need access to resources such as databases, file shares, and other resources to perform their routine tasks. Because of their central role, these accounts often have privileged access so that they can carry out their functions without the need for human interaction.

If not properly managed, however, service accounts can pose significant risks, enabling threat actors using the compromised credentials of service accounts to take them over and move laterally throughout a network undetected.

In this post, we’ll explore what service accounts are and how they’re used and explain the security risks organizations can face if they’re not managed correctly. This is the first part of a three-post series discussing service account security.

What Service Accounts Are and Why They’re Important

Service accounts are dedicated non-human accounts that IT admin creates to run on different machines or in some cases are accounts that are created by process, such as software installation. These accounts are usually defined on the Active Directory (AD). Systems, applications, and administrators use service accounts to interact with other systems, for example, a file manager or an SQL server agent. They perform automatic, repetitive, and scheduled actions in the background, usually without human intervention. Some examples of the different types of tasks that service accounts perform include running an application on a Windows operating system, automated backups, performing database maintenance and more.

These machine accounts can be found across an organization’s network. Certain “hybrid” users, such as infrastructure administrators, and application owners may run scripts from their personal user accounts to machines and essentially act as service accounts.

When a service account is created, it is typically given a set of permissions that allow it to perform specific tasks or access specific resources. In most cases, their permissions are defined by the administrator who created the service account. In a situation where the service account was created by a process, their permissions will be configured by the package manager during the installation of the software that the service account will be connecting to.

Different Types of Service Accounts

There are usually several different types of service accounts in an environment, each one with a specific role. In general, service accounts fall under two scenarios:

1. Service accounts created by admins to automate specific tasks.
2. Service accounts created during processes, for example during software installation.

Service accounts are usually categorized into specific types based on their exact behavior and permissions level. For organizations that have a large number of service accounts, this tends to be the mix:

Machine to Machine (M2M) Accounts – used exclusively by machines to interact with other machines or services; examples include, a web container communicating with a database container or an application communicating to an endpoint.

Hybrid Accounts – used primarily for M2M access but sometimes used by human users to access specific resources; for example, admin users who run scripts to gain access to shared file servers, databases, or management systems.

Scanners – used by a few devices to communicate with a large number of resources inside a network; for example, vulnerability scanners, health management scanners, and code scanners.

The Security Risks of Service Accounts

Service accounts are indispensable, but not immune to security risks. In recent years, threat actors have increasingly leveraged compromised service accounts to gain unauthorized access and move laterally within an organization’s network. There are several factors that contribute to the security risks associated with service accounts.

Firstly, service accounts often lack visibility within an organization’s security infrastructure. Due to their complex interdependencies with multiple processes, programs, and applications, it can be challenging to accurately track and monitor their behavior. This lack of visibility leaves service accounts susceptible to compromise, with threat actors able to exploit them without detection.

Second, service accounts are frequently excluded from regular password rotation practices. Unlike human accounts that require periodic password changes, service accounts are often overlooked in password management efforts. A key reason for this neglect is the fear that changing passwords may disrupt critical processes. Consequently, compromised service accounts may provide threat actors with prolonged access to an organization’s network that is undetected.

Lastly, service accounts are often provisioned with unnecessary access rights and privileges. It is common for developers and administrators to assign broad permissions to service accounts in order to ensure seamless functionality, neglecting the principle of least privilege. This practice increases the potential impact of a compromised service account, as threat actors can leverage the account’s elevated privileges to access sensitive systems and data.

Why It’s Important to Understand the Security Risks of Service Accounts

Although service accounts perform important functions in an environment, they can also pose critical security risks if not managed correctly.

When a service account is created, for example, it can be inadvertently assigned a high level of privilege, equivalent to that of an admin. This, in turn, can create a security issue if admins are not fully aware (i.e., have full visibility into) the exact behavior and activity of those accounts. Often, this is simply due to the improper documentation of these accounts which, as mentioned before, can be a challenge due to their high number as well as issues like IT staff turnover. Over time, this problem compounds, with the initial lack of awareness turning into a serious security blind spot.

Here are some of the specific security risks organizations can face when managing service accounts:

Discovering All Service Accounts

One of the challenges of managing service accounts is discovering all the different service accounts that are being used. Since organizations can have hundreds or even thousands of service accounts, it can be a challenge to keep track and find every single service account and its activity. If an organization is not aware of all its service accounts, it won’t be able to secure them effectively.

Visibility and Monitoring

Because organizations often lack full visibility into service accounts and how they’re being used, it is difficult to detect any unauthorized access or malicious activity stemming from them. Complicating things is the fact that no identity infrastructure can automatically filter which users are service accounts from the overall list of users.

Additionally, if service accounts are not associated with a specific user, it can be difficult to determine their activity and purpose. This can result in organizations being exposed to security risks, such as not detecting unauthorized access by threat actors which can lead to lateral movement attacks.

High Access Privileges

As stated previously, service accounts can often be assigned a level of privileged access similar to that of an admin. While the typical service account does not require domain-level access, these accounts sometimes end up with overprivileged access to ensure operational continuity. Organizations that are using service accounts for the automation of operational tasks will assign high-privilege access to ensure there is no downtime in their operations. This can create a challenge in terms of properly managing these privileged accounts against incoming identity-based attacks.

No PAM Protection: Password Rotation is Not the Answer

To manage risk, most organizations have turned to implementing password rotation as a strategy for keeping highly privileged accounts secure. But password rotation comes with limitations, as service accounts can’t be subject to password rotation for various reasons, such as the fact that they can be embedded in scripts and could break critical processes if their passwords are rotated. This would invalidate the password in the scripts, preventing the service account from accessing its target resource and subsequently breaking any process that relies on the service accounts’ task.

Mitigating Service Account Risks

To manage the potential exposures related to service accounts and address the concerns of cyber insurance underwriters, organizations can implement various risk mitigation practices. These practices include:

Auditing and Inventorying Service Accounts

Organizations should conduct regular audits to identify and inventory all service accounts within their network. This process involves determining the purpose and usage of each service account, as well as assessing the permissions and access rights associated with them. By maintaining an up-to-date inventory, organizations gain better visibility into their service accounts and can identify any accounts that are no longer in use.

Password Rotation and Complexity

Implementing a regular password rotation policy for service accounts is essential to enhance security. While changing passwords for service accounts can be challenging due to potential disruptions, organizations must strike a balance between security and operational continuity. Ensuring that passwords are complex and resistant to brute force attacks further strengthens service accounts’ security.

Denying Interactive Logins

To prevent the unauthorized use of service accounts, organizations should configure the accounts to deny interactive logins. This setting restricts the usage of service account usernames and passwords on typical human login screens, mitigating the risk of unauthorized access. By implementing this measure, organizations can limit threat actors’ exploits of service accounts.

Privileged Access Management (PAM)

Implementing a Privileged Access Management (PAM) solution can significantly enhance service account security. PAM solutions provide a centralized platform for managing, securing, and monitoring privileged accounts, including service accounts. By enforcing the least privilege principle, organizations can restrict service accounts to only the necessary permissions required for their intended tasks.

Regular Review and Mitigation

Organizations should establish a process for regularly reviewing service account requirements and permissions. This review ensures that service accounts have only the necessary permissions and helps identify any potential security gaps or unnecessary access rights. By continuously assessing and mitigating risks, organizations can proactively address vulnerabilities in their service account management practices.

Monitoring and Alerting

Implementing robust monitoring and alerting mechanisms for service accounts is critical for detecting abnormal or malicious behavior. Organizations should establish monitoring rules specific to service accounts and configure their security operations centers (SOCs) to receive alerts in response to suspicious activities. Monitoring solutions powered by machine learning algorithms can help organizations establish baseline behaviors for service accounts and identify deviations that may indicate a compromise.

Next Up: Analyzing Attacks Where Service Accounts Were Used

Now that we’ve covered the basics of service accounts, including what they’re used for and the security risks they present, our next post will dive deep into different security breaches where service accounts were used and, in some cases became the entry point for the threat actors.