How do you manage service account credentials (passwords)? [closed]
In a Windows environment how do you address the following issues with service accounts?
- Regular Password changes - with single service accounts used on multiple machines how do you regularly change passwords without significant outage periods? Do you tend just to never change them?
- Keeping track of passwords - by necessity multiple people need to know these, how do you record the passwords whilst keeping them reasonably secret?
- To what point do you use the same account across multiple machines / services? How do you track what account is being used where? Any tools to help with this?
- Has anyone found any good resources for appropriate minimum permission settings for common service account requirements for applications such as SQL Server, Sharepoint etc.
Solution 1:
Many of our customers use Secret Server to manage their service accounts.
It can automatically discover where your service accounts are used (will scan your network for usages) and then these Windows Services can be added as a "dependency" for the credential. An expiration schedule can be set (say every 30 days) and then it will automatically generate a new random password for the AD service account and change all the places it used (even stopping and restarting the Windows Services). Secret Server also supports IIS Application Pool users and Windows Scheduled Tasks as "dependencies".
Get a free 30 day trial here: http://www.thycotic.com
Solution 2:
Switching to Server 2008 R2 all around ^^ (ok, maybe not - but thought I should mention the Managed Service Account and Virtual Account features of it that promises to resolve this mess)
Solution 3:
Joel,
We use a third party application to manage the rotation of passwords for service accounts. The app tracks the passwords, creates new ones, and offers a vault so that you can access the passwords if and when necessary.
We try to reuse service accounts when possible and as part of the account creation process we have a form that people need to complete. when the form is submitted it is saved and the account that was created gets saved with the form. that way, if we need to know who uses the account, or why it was created, we can research. we also make certain the manager field in AD is filled in correctly and managers are assigned the task of know what service accounts they are responsible for.
MSDN would have a wealth of information regarding the minimum permissions required for common service account settings. As always, how you configure those settings depends upon the needs of your environment.