The Right Way: Service Accounts (Learned the tragic way)

It's 2023 and people still use Admin accounts for Services?

FOR YOU BOZOS WHO DON'T KNOW WHAT I'M TALKING ABOUT:

Active Directory (AD) Service Accounts are specialized accounts in your domain used for applications, services or processes to interact with the network or other resources.

Let's say there's an LDAP connection between your Domain Controller and a Firewall to enable Identity management. This requires an account to use for the service to gain access and integrate properly in your environment. This is one example of where a service account is used.


THE TRAGEDY:

My team is a growing team, it's small and new and suffice to say, not managed well historically. A really big problem that hit us (mostly me) pretty hard recently was the misuse of Admin Accounts. 

Our only senior engineer, who had power monopoly over the infrastructure, unfortunately left the company in bad terms. This led to a number of security protocols being taken which includes the disabling of his admin account. If I knew back then what I know now, I would've brought up an alternative, but sometimes ya just gotta do what the boss tells ya to do!

And so hell came, a hundred things stopped working. Remote gateway servers died, VPN users can no longer authenticate, users losing rights. So obviously I was panicking like crazy, employees calling left and right, stakeholders on our doorsteps, directors on our director's thing.

Came to find out, this person used his privileged account to run most of our services instead of using a Service Account. None of this was documented because like I said; team is new, team is kinda trash (at the moment, I'm tryna turn it around).

After the busiest week of my life, I finally was able to track down most services that stopped because they relied on his admin account to run. Even until now though, I still think there are things in our environment using it that I haven't found. Fingers crossed nothing catastrophic.

THE RIGHT WAY:

If you want to integrate your environment with a Palo Alto firewall, create a "service_paloalto" account
If you want to integrate your environment with Azure, create a "service_azure" account

This allows you to improve security in your environment, think about it, you only need to delegate permissions that these services use, nothing unnecessary. You also isolate the accounts for each service, ensuring there's no connection between each of them. Lastly, when you log and audit for these accounts, they are granular and properly segmented.

This might be a common precautionary thought to a lot of smart folks out there but apparently not to me (or to my boss LOL). Good times though!

- Patrick