What is the difference between service accounts and managed service accounts?
Active Directory is a system which offers centralized control of your computers. Show
ModulesActive Directory InfrastructureLessons
Maintaining Active Directory ObjectsLessons
Group PolicyLessons
DNSLessons
Federation ServicesLessons
CertificatesLessons
To regain control, you need to reset the service property which associates it with a managed account. To do this (for the service I tested against here), run the following command as an administrator:
You can also assign permissions to objects such as files etc, using the normal permissions dialogue Group Managed Service AccountsThe gMSA was introduced with Windows Server 2012. Unlike an MSA, a gMSA can be associated with multiple computers. Otherwise, it behaves very similarly i.e, the password is complex and – for the gMSA – automatically managed by the Active Directory subsystem and stored as a new AD attribute.
You then add the gMSA in a very similar way to adding an MSA:
Note that you specify the computer account on the target endpoint as having permission to retrieve the managed password for the gMSA.
The critical difference, though, is that you can associate further devices with the account, not just a single device. You do so by allowing the device access (as in the set-adServiceAccount cmdlet above) and then repeating the association process on each endpoint you want to be associated with the gMSA. Examining the gMSA managed passwordThe gMSA password can be retrieved using the example PowerShell script shown here. This must be run as LocalSystem, since only this account has the required AD privileges to retrieve the attribute. The password is stored in plaintext in the msDS_ManagedPassword attribute.
Domain accounts and local secretsSo…. Are these new account types more secure? Well – kind of. The passwords are long and complex and change regularly. However, they share the same vulnerability as normal domain accounts when used to manage service logons. A service has to be able to retrieve its login credentials even when the domain controller cannot be contacted. This is because local endpoint resources might be secured using those credentials. Consequently, the credentials have to be stored locally in the endpoint registry.
As far as I can determine, the GUID value is the same for all MSAs created on the same endpoint.
The GUID appears to be constant (but different from the MSA GUID) for all gMSAs associated with an endpoint. However, the remainder of the LSA key changes for each gMSA on the endpoint.
How do I know this is the complex key? In running the PowerShell script above to retrieve it from Active Directory I can easily compare it to the decrypted local secret value and identify its location.
As far as I am aware, the computer account password is also retrievable from the local secret in a similar way. Therefore, even when using local accounts to run a service, we need to be aware that the computer account they use to access network resources can potentially have its password ex filtrated and used by an attacker. However, like an MSA/gMSA, computer accounts cannot login interactively. SummaryHow do we retrieve all this information? Well, it’s quite complex but well documented and involves extracting some registry hives normally accessible only to LocalSystem, then decrypting the information held in them. The decryption process was developed using ‘security by obscurity’ but unfortunately the algorithms were reverse-engineered some time back, so there is plenty of code in the public domain. In fact, the definitive reference is written in Python, making it really easy to understand. Microsoft made a small change in Win 10 build 1703 to attempt to improve security but it, too, was reverse-engineered within a short period of time. Intrinsically, if a local process needs to decrypt information offline, there’s no way to protect that. This is why mobile devices should always enable full-disk encryption. That way, a stolen device cannot have credentials extracted from its disk storage subsystem. What is a managed service account?Managed Service Accounts are a Windows feature introduced in Windows Server 2008 R2 for increasing the security of non-user service accounts. Managed Service Accounts, shortened as MSAs, have an automatically-managed, complex password that removes the requirement of manually dealing with password rotation and security.
What are the different types of service accounts?Types of on-premises service accounts. Group managed service accounts. For services that run in your on-premises environment, use group managed service accounts (gMSAs) whenever possible. ... . Standalone managed service accounts. ... . Computer accounts. ... . User accounts. ... . Use server logs and PowerShell to investigate.. What is a service account?A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. Typically, service accounts are used in scenarios such as: Running workloads on virtual machines (VMs).
What is the key difference between a managed service account and a group managed service account?This type of managed service account (MSA) was introduced in Windows Server 2008 R2 and Windows 7. The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers.
|