Password security for Active Directory is becoming extremely important for companies across the globe due to the proliferation of ransomware and security breaches. One area that may not get a lot of attention but is equally important to have a solution for are service accounts.

Since manually resetting service account passwords and having to make sure you update the password anywhere the account is being used can be a lot of work, most IT companies just do not do it. There are however some alternative approaches you can take to manually rotating service account passwords. Each method has some pros and cons.

Pros

• Removes the manual effort for the taks required after resetting the service account password
• Free

Cons

• Requires you to create and maintain your own script which takes time and testing
• Still need to manually reset the service account password in Active Directory

Pros

• Adds an additional level of security to your windows account
• Don’t need to worry about changing passwords and updating the password in Windows services and scheduled tasks

Cons

• Cost. You will need to pay per user per month for a third party hosted MFA solution
• Must enter the username, password, and MFA code every time you login unless you have a push notification solution which is generally more costly
• Even though you have MFA it is still possible to hack and if they do and the password never changes then you may be an easier target
• Does not cover when technicians leave your company. Even with MFA on the account you would at the very least want to reset the password then

Pros

• Never need to reset the password
• Password is difficult to hack since it’s very long and complex
• Access to the password is limited to only a few people
• Password is only accessible by the users who have permission to the vault and know the secret passphrase

Cons

• Only a limited number of users will have access to the password if it is needed. Requires those users share the password with other technicians when needed
• The password never changes and even though it is long and limited users have access if those users get infected with key logging malware the password can still be hacked

Pros

• Password rotation is handled automatically by Active Directory
• Automated process
• Passwords are automatically updated in Windows Services

Cons

• Does not support scheduled tasks
• Setup time required with PowerShell
• Cannot span multiple computers. It cannot be installed on more than one computer at once
• Must be supported by the application that uses the Window Service

Pros

• Complete automated solution
• Supports Windows Services and Scheduled Tasks
• Easy setup. No scripting knowledge required
• Integrates with IT Glue password manager
• Saves time and money

Cons

• Paid solution

Service Management Console

A service account is an Active Directory account that is used to authenticate a process that runs on a Windows Server or PC such as an accounting system or for SQL databases processes.

Windows Services are managed in the Services Management Console shown below.

When you open an individual Windows Service and click on the ‘Log On’ tab you can review which account is used to authenticate that Windows Service.

When you review which accounts that are used for authenticating Windows Services you will notice that some use the Local System account while others are using a specific Active Directory account with a password.

If the Local System account is specified there is no password used and therefore no password to rotate. The Local System account is a highly privileged account that is used by a number of Windows Services but is not suitable for all Windows Services.

‍

Scheduled Tasks

Service Accounts can also be used for authenticating Windows Scheduled Tasks that are accessed within the Task Scheduler application.

Similar to Windows Services in the Services Management Console you can use the Local System Account or a specific Active Directory domain account to authenticate the Scheduled Task.

This is a very important question. The answer is it depends on the circumstance. Active Directory accounts used for Windows Services and Scheduled tasks can be hacked just like any other account. In a lot of cases the accounts used for Windows Services and scheduled tasks have elevated permissions and therefore pose a greater risk if the account is breached.

Service Management Console

When you reset a service account password you must also update the password in either the Windows Services Management Console or in the Scheduled Task that uses the account. If you do not do this the process that the Windows Service manages will eventually stop when the process needs to re-authenticate or when you need to restart the service whichever comes first. For the scheduled task, the task will fail to run at the next scheduled time.  

This is a manual process to open the Windows Service, click on the Log On tab, enter the updated password, click apply then restart the service for the changes to take effect.

Scheduled Tasks

For Scheduled tasks you must open the scheduled task click OK then type in the updated password in the pop-up window then click Ok to complete the change.

If you would like to find out more about CyberQP’ Password Rotation solution, I encourage you to visit this page. If you have any questions or would like to proceed, book a demo with a CyberQP representative.

A report from Troy Hunt, the creator of the website Have I Been Pwned, alerted readers to a major data leak from Naz.API, a database containing data from over 70 million accounts and over a billion unique records. Hunt’s investigation has revealed “a significant volume of new data” and newly compromised accounts, and these accounts’ owners are at risk.

According to the report, a “well-known,” unnamed technology firm discovered the dataset in a hacking forum post published in September 2023, through a bug bounty submission, and contacted Hunt with these details. 

An investigation into these findings revealed that 34.97% (over one-third) of the email addresses in this dataset were new, and not available in Have I Been Pwned’s database. The report’s findings indicate that these credentials were compiled from infostealers exfiltrating  credentials from compromised endpoints and environments, and data stolen in several credential stuffing attacks and previous breaches. (In fact, Hunt also recognized his own information from an illegal website that allowed threat actors to search for people’s data.) 

The report also shared a screenshot of the stealer logs, which contained a URL to login, an email address to log in, and the password in his findings.

In total, Hunt identified 319 files, with a total file size of 104 GB. He was also able to verify that the credentials were real by contacting several people listed in these infostealer logs, and by using website password request forms or registration forms to confirm that the email address exists in their account bases.

Are You Rotating Your Credentials?

The size of this data leak poses a major risk to MSPs and end users alike, and truly emphasizes the risks associated with stale or reused credentials and standing privilege, such as persistent admin accounts. 

Are You Implementing Zero Standing Privilege?

That’s why security best practices require individuals and organizations to mitigate their risk by regularly rotating critical credentials, and limiting privileged access through solutions like Just-in-Time access.

CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk:

• Check if your data has been compromised with a service like Have I Been Pwned.
• Add another layer of protection to your key accounts, including complex passwords or passphrases and multi-factor authentication (2FA/MFA).
• For privileged accounts, utilize a password vault and implement additional protection, such as end user identity verification. 
• MSPs can implement a moving target defense for their privileged accounts by regularly rotating credentials to deter threat actors and prevent them from achieving a foothold in your environment or executing lateral movement attacks.  
• MSPs can also reduce their attack surface with Just-in-Time accounts that only grant privileged access for the amount of time a user needs it. Solutions like these also enable them to meet compliance and cyber insurance best practices by achieving zero standing privilege. 

CyberQP redefines Zero Trust Helpdesk Security with leading-edge Privileged Access Management (PAM) and End-User Access Management (EUAM) solutions. Our platform enables secure elevated access for both technicians and end users, along with robust self-serve and identity verification capabilities. Backed by SOC 2 Type 2 certification, we empower IT professionals to eliminate identity and privileged access security risks, enforce compliance, and enhance operational efficiency. Our mission is simple: “Empowering Access, Redefining Privilege” for help desks around the globe. To learn more visit: https://cyberqp.com/tours

When I heard this, I knew immediately how excited this one is going to make many of our partners. CyberQP has just launched its game-changing Zero Trust Helpdesk Security Platform, designed to tackle one of the biggest challenges in IT security: managing all the layers of privileged and end-user access without the headache. 

Let’s face it: cyber threats are getting smarter. Bad actors today are using sophisticated social engineering attacks like Vishing and impersonation to circumvent traditional cybersecurity tools. But with CyberQP’s platform, companies can lock down access, boost productivity, and rest easier knowing their systems are secure. 

At the heart of this new platform are two powerful tools: QGuard and QDesk. 

QGuard is your go-to solution for Privileged Access Management (PAM). It eliminates standing privileges, reduces the risk of credential-based attacks, and ensures technicians get only the access they need—when they need it. No more passwords to steal or stale admin accounts floating around.

QDesk takes End-User Access Management (EUAM) to the next level. It simplifies identity verification, manages password resets, and streamlines secure access for end users. Best part? It integrates seamlessly with your existing PSA tools like ConnectWise and Autotask.  

We get it—sometimes end users need admin access to get their jobs done. But granting full, unrestricted access? That’s a risk no one wants to take. That’s where End-User Elevation comes in. With this new feature, end users can request time-limited, process-based admin access that’s automatically revoked once they’re done. Technicians can approve just the applications or installations that require elevation, keeping security intact. 

• Auto Approval Rules Engine: Customize automatic approvals for trusted applications.
• Process-Based Elevation: Approve only what’s necessary without exposing the whole system.
• Audit Logs: Maintain complete visibility with detailed records of all elevation requests.
  

The CyberQP platform is built with Zero Trust principles at its core. That means no one is trusted by default—every request is verified, every action is logged, and access is always limited to the bare minimum required. 

This approach drastically reduces the attack surface, preventing ransomware attacks, credential theft, and other malicious activities. 

Ready to experience a more secure, efficient helpdesk? CyberQP’s Zero Trust Helpdesk Security Platform is available now. Say goodbye to standing privileges and hello to smarter, safer access management. 

Book a Demo and see how we’re redefining privilege management.

CyberQP redefines Zero Trust Helpdesk Security with leading-edge Privileged Access Management (PAM) and End-User Access Management (EUAM) solutions. Our platform enables secure elevated access for both technicians and end users, along with robust self-serve and identity verification capabilities. Backed by SOC 2 Type 2 certification, we empower IT professionals to eliminate identity and privileged access security risks, enforce compliance, and enhance operational efficiency. Our mission is simple: “Empowering Access, Redefining Privilege” for help desks around the globe. To learn more visit: https://cyberqp.com/tours