Service account password rotation

Service accounts are the unseen heroes of your organization’s architecture – they keep critical services running. While most organizations are generally aware of the sensitive nature of service accounts, password practices can still be poor. It is not uncommon for an organization to leave a default password in place, use the same password across several accounts, and/or never change the password. There are even cases of organizations using blank passwords, or accounts for which no password is required. These practices, combined with the fact that service accounts are provisioned with too many privileges, makes them ripe for abuse. To minimize this threat, it is important to secure these critical accounts to ensure that no threat actor can take advantage and wreak havoc.

What are the typical best practice strategies when managing service accounts? To keep attackers guessing, one strategy is to regularly rotate service accounts with secure passwords.

Designing the service account password rotation policy

Service account passwords are often not rotated for one of two reasons: the fear of disrupting running services, or they are simply forgotten. After a password rotation, the updated credentials are applied after a service, script, or container restart. In this way, service accounts may be considered at higher risk of disruption when rotating passwords.

When applying a service account password rotation policy, you may find that you need to test the password rotation. The credential update, and the restart, can measure the resilience of your infrastructure and services, helping you prepare for inevitable disruptions in the future.

Implementing a password rotation policy

With the rationale groundwork laid, what are the typical steps for rotating service account passwords? Usually, service accounts are running backend services, scheduled scripts, or containers. In each of these cases, there are several considerations, including:

• Are service accounts shared amongst several different services, scripts, or containers?
• What follow-up actions need to be taken after a password rotation? This may include a service or application restart to apply the updated credential token.
• Where should the newly created service account passwords be stored and tracked?
• Are the password rotations done automatically or manually by individuals tasked to complete the process?
• Are there specific service account password limitations, such as complexity, as defined by the associated service?

There are many ways to securely and properly accomplish service account password rotations, with many tools available to do so. Documentation is critical to tracking where service accounts are utilized and the associated password complexity requirements. This documentation may be automatically created through scripts looking for account usage or manually managed by an organization.

The actions to take after a service account password has been rotated are typically unique to each associated service. There is often a timing component and manual intervention required for some services that rely on GUI interfaces. All service account password rotations that can be automated should be prioritized, and include a check at the end of the rotation to verify that the service is operating nominally.

Newly rotated passwords should be managed in a password management tool. With automation cutting down the possibility of human error, rotating service account passwords have better repeatability and better resilience against errors.

Service account security with Specops Password Auditor

With all that said, how do you make sure that the passwords used in production are secure, and meet necessary regulatory requirements? Specops Password Auditor (free) audits your service accounts and finds accounts with identical passwords. This can be multiple service accounts using the same password, or service accounts where an administrator has used their own password as the service account password. Specops Password Auditor also finds blank passwords, and breached passwords. Instead of auditing every account, use Specops Password Auditor to find vulnerabilities, and take advantage of these features:

• Check password policy settings against industry standards, such as NIST.
• Check accounts against a list of vulnerable passwords obtained from data breaches.
• Find accounts with identical, blank, and expired passwords.

Specops Password Auditor is a read-only program and can be run from any domain joined workstation.

For more information:

Impact of running Specops Password Auditor on Active Directory

Download Specops Password Auditor (FREE).