4 April 2015

In the past weeks I had a lot of discussions with system operators about services running as real users, very often as domain users, if not as domain administrators. In some cases these accounts are used to run services on workstations as well.

From a security point of view this is a nightmare. Once an attacker got the login data of one of the service accounts, he can move across the network and collect credentials. The game is over when he gets access to a workstation where a user signs in with domain administrator credentials.

Executing the service as a local defined account with individual passwords would be a good choice to tackle this problem but, from an operations point of view this is the nightmare because the administrative effort will go straight through the roof.

This clash of interests is a really big challenge for the change manager. ADKAR is a often used model to guide activities during a change processes. But how could a change manager create Awareness in this case? Just telling the system operators to do things differently will not help. You must touch people’s minds with good stories and pictures.

‘Seeing is believing’ is my recipe: Find a workstation where a globally defined service account is used to run a service and extract all passwords from the LSASS process with MIMIKATZ. MIMIKATZ extracts the password hashes and the WDIGEST and Kerberos passwords in plain text.

MIMIKATZ Output

The MIMIKATZ output contains the passwords for the service accounts and, if applicable, for the domain administrator. Store this output encrypted in a file, highlight the service accounts and use the file as eye-opener in the next awareness session.

In my experience this  creates the necessary emotional involvement which is required for the next steps in the change process.

There is nothing left to say but …

Wishing you an Easter
that touches your heart
and lives in your thoughts
as a sweet reminder of
just how special you are.