Have you ever given any thought to the security issues related to your service accounts? Service accounts present a serious security risk. In this article, I’ll explain why. I’ll then offer some advice for fixing this security hole.
Why the big risk?
The biggest reason that service accounts are a threat to security is that many companies never change service account passwords. Consequently, anyone who’s done any work on the system in the entire history of the company probably knows the service account password. As if this isn't enough, consider the fact that service accounts often possess higher privileges than the administrator account.
To verify the level of privileges given to service accounts, check out the special permissions that Exchange Server assigns to them. To see this principle in action, try loading Exchange Server on a spare computer and setting up any account as the administrator. Once Exchange is up and running, stop all of the Exchange-related services and change the service account from whatever you're using to Administrator. When you attempt to restart the services, they won’t start because Administrator doesn’t have high enough privileges.
As you can see, some service accounts can have pretty hefty permissions. There’s absolutely nothing stopping a former employee or contractor from dialing into your network and logging on using the service account. Once logged on with the service account, such a person could do anything that they want to your network.
Fixing the problem
Now that you know the risks, it’s time for a solution. For starters, set the service account password to something that's hard to remember. Use a combination of uppercase and lowercase letters, numbers, and special symbols. You should also keep in mind that the longer the password, the more secure that it will be.
I also recommend changing the password every few weeks. Just be sure to keep a list of all of the locations at which the service account is used. Otherwise, your services won’t restart the next time that they're shut down. For example, suppose you use an account called SVCACT for the Exchange service account. To change the password, you’d have to access the SVCACT through User Manager For Domains. After doing so, you’d have to go into the Service Control Manager and set the individual Exchange services to use this account along with the new password.
Just because you'll change the password often doesn’t mean that you should set the service account password to expire automatically. Service account passwords always seem to have a tendency to expire at really inconvenient times when they're set up this way. For example, you wouldn’t want your service account password to expire while trying to fix another problem. You also don’t want it to expire while you’re on vacation, or for it to just catch you by surprise one morning.
Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.