14 November 2015

Tip 2 of the Ten Tips for Designing, Building, and Deploying More Secure Web Applications is still stuck in my mind, in particular the request to change the passwords of service accounts regularly.

Changing the password of services accounts is absolutely necessary but also a major challenge, at least the first time. Therefore most IT operators shy away from changing the password of a service account because even with careful preparation a residual risk remains that parts or the entire application system or another system will no longer function correctly.

Why is this so complicated? Let me try to explain this by the means of a straightforward example.

Service account saRepOp is used for automated report generation in a database environment. The account is defined in the active directory. The service is started via the task scheduler on the report server every workday at 2 am. Sounds easy, doesn’t it?

Therefore we use the straightforward way and enter net user saRepOp * /domain at the command prompt.

The next morning we get some dozen angry calls from users because the report job did not run.

The cause is simple. During definition of the scheduled task the password of the saRepOp is stored locally on the report server. When the scheduled task starts the password is retrieved from the local password store. The report job fails because during startup a login is run with an outdated password.

It becomes truly complex when the services accounts are used for various tasks on some or many computers. And this may well be regarded as normal.

In particular for complex application systems a services account map is required which lists the service accounts, the purpose for which they are used, the login method, the run method, the passwords storage location etc. To avoid system downtimes the service account map should be created before the first password change, ideally during system development and implementation to keep effort low.

It’s the effort for creating a service account map that makes IT operators afraid of changing the passwords of service accounts, and of course the remaining risk of a system breakdown.

Nevertheless an up-to-date service account map is of imperative need if a service account gets compromised and prompt response is required.

Have a good weekend.