TMCnews Featured Article

June 15, 2011

Enterprise Password Management: Service Accounts-Are Your Passwords Floating Around Out There?

By David Sims, TMCnet Contributing Editor

You know what service accounts are -- they’re used to run applications on your network including Windows Services, Windows Scheduled Tasks and even the AppPools within IIS for web applications. Many companies, yours probably among them, create these service accounts as needed over time. Administrators reuse these accounts as new systems are installed. According to information from Thycotic an enterprise password management software provider, this practice, while convenient, can lead to spread of the same credentials being used. 

Officials at the company identified two specific problems this practice leads to. First, it’s hard to identify all the places on your network using a particular service account credential. Second, it is “scary,” they say, to change the password on a service account, “because you have to then update all the places using that password else applications will start to fail and cause outages.”

And if that’s ever happened to your company, you know it’s just the sort of thing you really want to avoid. But that doesn’t change the fact that these service accounts are very powerful, are often over used and the passwords are known to too many people.

As Thycotic officials say, fear of such dire consequences usually means companies take an even worse option and simply avoid the issue altogether, simply not changing the service account passwords, even when people change teams and leave the company. Imagine for a minute the mischief a disgruntled ex-employee who still has the passwords can cause.

Or worse yet -- maybe you don’t have to imagine it. If this has happened to you then you understand where we’re coming from.

There is a good product from Thycotic that helps companies avoid this sort of problem. Secret Server can scan the network to find where a service account is being used, and then update all the places using that credential when the password is changed. This makes it feasible for companies to follow security best practices and get their Service Accounts back under control.

David Sims is a contributing editor for TMCnet. To read more of David’s articles, please visit his columnist page. He also blogs for TMCnet here.

Edited by Jamie Epstein