Windows infrastructure password management

In most of IT environments, Windows servers and systems are a significant component of the infrastructure. Local, domain, and service accounts constitute the core access to the Windows infrastructure. So, a breach of any of these high-privileged accounts is the worst-case scenario for any organization.

• Local administrator accounts: These are all powerful accounts on member servers and clients that grant absolute control over their hosts. If the local administrator passwords are weak, left unchanged, or used repeatedly on multiple accounts, malicious users could gain unauthorized access to workstations. In the worst-case scenario, an attacker with access to a local admin account could navigate widely across the network and even elevate their privileges to that of a domain administrator.


• Domain administrator accounts: These are the accounts that have the widest control over every object in the domain. They provide administrative privileges on all workstations, servers, and domain controllers. Only a few, trusted administrators should use the domain administrator accounts. And, they should use the account only to log on to the domain controller systems that are as secure as the domain controllers. This is because Windows systems are vulnerable to pass-the-hash attacks. The single sign-on functionality of Windows allows users to enter credentials once and then never have to enter the password again. Windows actually caches the login details within the system in the form of password hashes. If an attacker manages to access a system where the domain administrator had logged on in the past using his domain admin credentials, the attacker could easily obtain the hash and perpetrate an unauthorized transaction.
  
  As a best practice approach, domain administrator accounts should not be used to sign on to any system other than domain controllers. If there is a strong need to do so, the password access should go through a workflow for one-time usage, after which it should be reset. Even if the domain admin accounts are prudently used from trusted systems, they should be periodically changed.


• Service accounts: These are very powerful accounts used by the system programs to run application software services or processes. These accounts often possess high or even excessive privileges. Service account passwords are generally set to "never change," due to the difficulty in discovering all dependent services and propagating the password change. However, static service accounts make the enterprise a haven for hackers.

Implementing proper controls and other standard security practices around these privileged accounts can help reduce vulnerabilities and keep malicious attacks at bay.

Easily locate and manage privileged accounts in your Windows infrastructure.

An effective password management procedure for the Windows infrastructure calls for identifying and consolidating the various privileged accounts on the network. Password Manager Pro's discovery capabilities help detect the local admin and domain admin accounts and automatically place them into the inventory. It also helps locate service accounts by identifying the various Windows server components that are run using domain accounts and mapping the services and scheduled tasks to respective accounts.

Secure your Windows account credentials with periodic password resets.

Security best practices demand that the privileged accounts on Windows infrastructure are reset periodically or after every usage (request-release). Frequent password changes for Windows resources also ensure regulatory compliance for the enterprise.

Manually performing password resets for all systems is cumbersome, making the presence of an automated system convenient. With Password Manager Pro, local and domain admin passwords—including service account passwords—can be periodically rotated through scheduled reset tasks. For reinforced security, the account passwords can also be subject to an access control workflow, which ensures that the passwords are instantly changed, even after one-time usage by an authorized administrator.

When a service account password is reset, Password Manager Pro automatically propagates the change across all dependent services associated with the account to avoid any service stoppage.

Achieve a complete management routine with automated service restarts.

When a service account password is reset, associated Windows services usually require a restart for the changes to take effect. Password Manager Pro helps automate this reboot process with executable custom scripts to ensure that all applications and tasks dependent on service accounts are properly updated.