Windows infrastructure password management
In most of IT environments, Windows servers and systems are a significant component of the infrastructure. Local, domain, and service accounts constitute the core access to the Windows infrastructure. So, a breach of any of these high-privileged accounts is the worst-case scenario for any organization.
- Local administrator accounts: These are all powerful accounts on member servers
and clients that grant absolute control over their hosts. If the local administrator
passwords are weak, left unchanged, or used repeatedly on multiple accounts,
malicious users could gain unauthorized access to workstations. In the worst-case
scenario, an attacker with access to a local admin account could navigate widely
across the network and even elevate their privileges to that of a domain
- Domain administrator accounts: These are the accounts that have the widest
control over every object in the domain. They provide administrative privileges on
all workstations, servers, and domain controllers. Only a few, trusted administrators
should use the domain administrator accounts. And, they should use the account
only to log on to the domain controller systems that are as secure as the domain
controllers. This is because Windows systems are vulnerable to pass-the-hash
attacks. The single sign-on functionality of Windows allows users to enter
credentials once and then never have to enter the password again. Windows
actually caches the login details within the system in the form of password hashes. If
an attacker manages to access a system where the domain administrator had
logged on in the past using his domain admin credentials, the attacker could easily
obtain the hash and perpetrate an unauthorized transaction.
As a best practice approach, domain administrator accounts should not be used to
sign on to any system other than domain controllers. If there is a strong need to do
so, the password access should go through a workflow for one-time usage, after which it should be reset. Even if the domain admin accounts are prudently used
from trusted systems, they should be periodically changed.
- Service accounts: These are very powerful accounts used by the system programs to
run application software services or processes. These accounts often possess high
or even excessive privileges. Service account passwords are generally set to "never
change," due to the difficulty in discovering all dependent services and propagating
the password change. However, static service accounts make the enterprise a haven
Implementing proper controls and other standard security practices around these
privileged accounts can help reduce vulnerabilities and keep malicious attacks at bay.
Easily locate and manage privileged accounts in your Windows infrastructure.
An effective password management procedure for the Windows infrastructure calls for
identifying and consolidating the various privileged accounts on the network. Password
Manager Pro's discovery capabilities help detect the local admin and domain admin
accounts and automatically place them into the inventory. It also helps locate service
accounts by identifying the various Windows server components that are run using domain
accounts and mapping the services and scheduled tasks to respective accounts.
Secure your Windows account credentials with periodic password resets.
Security best practices demand that the privileged accounts on Windows infrastructure are
reset periodically or after every usage (request-release). Frequent password changes for
Windows resources also ensure regulatory compliance for the enterprise.
Manually performing password resets for all systems is cumbersome, making the presence
of an automated system convenient. With Password Manager Pro, local and domain admin
passwords—including service account passwords—can be periodically rotated through
scheduled reset tasks. For reinforced security, the account passwords can also be subject
to an access control workflow, which ensures that the passwords are instantly changed,
even after one-time usage by an authorized administrator.
When a service account password is reset, Password Manager Pro automatically
propagates the change across all dependent services associated with the account to avoid
any service stoppage.
Achieve a complete management routine with automated service restarts.
When a service account password is reset, associated Windows services usually require a
restart for the changes to take effect. Password Manager Pro helps automate this reboot
process with executable custom scripts to ensure that all applications and tasks
dependent on service accounts are properly updated.