IT Security Matters

Klaus Jochem

Skip to content
  • Home
  • About me
    • About me
    • Copyright and Disclaimer

Tip 2: Change the Password of Service Accounts Periodically

14 November 2015

Tip 2 of the Ten Tips for Designing, Building, and Deploying More Secure Web Applications is still stuck in my mind, in particular the request to change the passwords of service accounts regularly.

Changing the password of services accounts is absolutely necessary but also a major challenge, at least the first time. Therefore most IT operators shy away from changing the password of a service account because even with careful preparation a residual risk remains that parts or the entire application system or another system will no longer function correctly.

Why is this so complicated? Let me try to explain this by the means of a straightforward example.

Service account saRepOp is used for automated report generation in a database environment. The account is defined in the active directory. The service is started via the task scheduler on the report server every workday at 2 am. Sounds easy, doesn’t it?

Therefore we use the straightforward way and enter net user saRepOp * /domain at the command prompt.

The next morning we get some dozen angry calls from users because the report job did not run.

The cause is simple. During definition of the scheduled task the password of the saRepOp is stored locally on the report server. When the scheduled task starts the password is retrieved from the local password store. The report job fails because during startup a login is run with an outdated password.

It becomes truly complex when the services accounts are used for various tasks on some or many computers. And this may well be regarded as normal.

In particular for complex application systems a services account map is required which lists the service accounts, the purpose for which they are used, the login method, the run method, the passwords storage location etc. To avoid system downtimes the service account map should be created before the first password change, ideally during system development and implementation to keep effort low.

It’s the effort for creating a service account map that makes IT operators afraid of changing the passwords of service accounts, and of course the remaining risk of a system breakdown.

Nevertheless an up-to-date service account map is of imperative need if a service account gets compromised and prompt response is required.

Have a good weekend.

Advertisements

Share this:

  • Email
  • Print
  • LinkedIn

Like this:

Like Loading...

Related

This entry was posted in Survival tips and tagged Password change, Secure Web Applications, Service account map, Service accounts on November 14, 2015 by Klaus Jochem.

Post navigation

← Ten years old but still up-to-date: Ten Tips for Designing, Building, and Deploying More Secure Web Applications It was about time: Amazon introduces Two Factor Authentication →

Technology and more

  • 4 Elementary IT Security Design Principles

Endnotes

  • SRM Blog Information Security Breach Reports
  • [1] Frequently Asked Questions on eBay Password Change
  • [2] Ponemon Institute, Cost of Cyber Crime Study: United States 2013
  • [3] Hashed Passwords – Crack The Cred
  • [4] Important Information – Office Passwort Reset
  • [5] Reducing the Effectiveness of Pass-the-Hash

Tags

  • administrative privileges
  • Adobe Flash Player
  • anti-malware
  • AppGuard
  • Attack Surface
  • Cyber Attack
  • data breach
  • eBay
  • Endpoint Protection
  • maliciuos insider
  • Malware
  • Phishing
  • Principle of least privilege
  • Ransomware
  • Separation of Duties
  • strong passwords
  • Two factor Authentication
  • UAC
  • Vulnerability
  • Zero day exploits

Archive

  • March 2019 (2)
  • February 2019 (1)
  • January 2019 (2)
  • December 2018 (1)
  • November 2018 (2)
  • October 2018 (2)
  • September 2018 (1)
  • August 2018 (2)
  • July 2018 (1)
  • June 2018 (3)
  • May 2018 (2)
  • April 2018 (3)
  • March 2018 (3)
  • February 2018 (3)
  • January 2018 (3)
  • December 2017 (1)
  • November 2017 (3)
  • October 2017 (6)
  • September 2017 (1)
  • August 2017 (1)
  • July 2017 (5)
  • June 2017 (2)
  • May 2017 (5)
  • April 2017 (4)
  • March 2017 (3)
  • February 2017 (3)
  • January 2017 (2)
  • December 2016 (2)
  • November 2016 (5)
  • October 2016 (8)
  • September 2016 (4)
  • August 2016 (4)
  • July 2016 (6)
  • June 2016 (4)
  • May 2016 (4)
  • April 2016 (5)
  • March 2016 (6)
  • February 2016 (9)
  • January 2016 (7)
  • December 2015 (2)
  • November 2015 (6)
  • October 2015 (4)
  • September 2015 (4)
  • August 2015 (5)
  • July 2015 (6)
  • June 2015 (6)
  • May 2015 (9)
  • April 2015 (8)
  • March 2015 (8)
  • February 2015 (8)
  • January 2015 (10)
  • December 2014 (4)
  • November 2014 (9)
  • October 2014 (9)
  • September 2014 (9)
  • August 2014 (10)
  • July 2014 (10)
  • June 2014 (5)

Blogs I Follow

  • Banter Republic
  • We're all a bit radio rental
  • Gehad's Journey
  • Sea Library
  • Time Gents

Subscribe

RSS Feed

Advertisements
Create a free website or blog at WordPress.com.
Banter Republic

It's just banter

We're all a bit radio rental

Rae Raes World... Under Construction...

Gehad's Journey

Sea Library

Jūras bibliotēka Jūrmalā

Time Gents

Australian Pub Project

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
%d bloggers like this: