Privileged Service Account Management: Group Managed Service Accounts

Christopher Meek, IAM Consultant, SecureITsource, Inc.

Service accounts: Threat Outline

Service accounts are one of the most advantageous network credentials for a malicious user to target. They are the non-interactive accounts used to run your custom applications, websites, databases and scripts. They are often set to never expire and typically run with elevated privileges.

The permissions found on service accounts will vary from system to system. They could be domain admins or they could be locked down in accordance with least privilege. While some accounts may need domain admin, many software vendors will state that their application requires higher privileges than it will ever use. This happens more often than you might imagine and is part of the reason why managing those credentials becomes so important.

Non-expiring passwords with administrative privileges are extremely high risk.

In many networks, it is surprisingly easy for an admin to forgo a new account request and utilize an existing service account across multiple systems and applications. This is a nightmare scenario. Losing track of exactly where the account is used means risking an unscheduled outage just to rotate a password.

That is not to say we should give up. Multiple management solutions exist today and understanding your options is the first step to resolving the privileged account threat.

Group Managed Service accounts: The built-in solution for Windows Service Accounts

Group managed service accounts (gMSA) are not a common occurrence in IT despite, being available since Windows Server 2012. This may have to do with the original iteration, Managed Service Accounts, being restricted to individual servers or a low population of networks meeting the base requirements to utilize them. Now that server 2016 is available, 2012 Domain Controllers are much more prevalent, meeting the core gMSA requirement.

gMSAs have a lot of great things going for them. The 120 character passwords associated with gMSAs are automatically rotated by the domain controller and should not impact the service to which they are assigned. gMSAs also function as a control for preventing stored credential retrieval.

gMSA’s are currently supported by Microsoft for use in:

· Windows Services

· Scheduled Tasks (Management via Powershell only att)

· IIS Application Pools

· SQL Server 2016.

Be careful not to associate gMSAs with a Privileged Account Management (PAM) solution. These accounts are limited to Windows hosts and do not feature a credential vault. In fact, after installing a gMSA to a host, there is no password to enter, even when setting up new tasks or services. The account could be used for more tasks than originally intended, potentially even maliciously. This makes auditing and monitoring even more important.

While not flawless in execution, they immediately address many threats associated with service accounts. gMSAs really begin to shine when combined with a PAM solution that monitors administrative access to servers.

Privileged Account Management of traditional service accounts

A good PAM solution will lend itself nicely to the management of traditional service accounts. Each solution should provide an audit trail, a check-in/check-out repository with discrete access controls and a mapping to show exactly where your service accounts are in use. Session monitoring is also available to record Administrative actions against the services and tasks utilizing your service accounts

There are no PAM solution providers offering to vault gMSAs today and the reason is clear. In their current iteration, no one will ever need to know the password for a gMSA. Recall that once a gMSA is installed onto a host, a blank password is used during setup of a new service.

Managing account credentials and their services across multiple operating systems is only available through a dedicated PAM solution. Even if your Unix box has an AD-bridge attached…gMSAs would not be available for use. The ability to manage accounts regardless of their OS or usage gives clear advantage to visionary solution providers like CyberArk.


Should domain controllers be allowed to manage credentials for your critical services and tasks? If there are stale credentials plaguing your environment and a complete PAM solution is not on the roadmap for 2017, then it is worth trying as an alternative.

The argument is more difficult to make if your organization is already employing CyberArk or another complete PAM solution. However, it is worth watching to see how gMSAs continue to evolve, as they are a free alternative to the privileged service account threat.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced consultants help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.