Posted on March 29, 2014 · Posted in Active Directory

Active Directory: Managed Service Accounts

There is an opportunity to get an administrator password if any of the services is run with administrator privileges. The passwords of the accounts, under which Windows services are run, are stored encrypted in the registry (LSA Secrets) at the following path:

HKEY_LOCAL_MACHINE/Security/Policy/Secrets
There are some ways of getting passwords from the LSA Secrets:

  • Copy the registry path into a temporary path and then decipher the encrypted passwords
  • Use shadow copies
  • Use special tools that work with the process lsass.exe

Let’s try to get the password of the account under which SQL Server is run.
There is:

  • Domain controller at Windows Server 2012 R2
  • SQL Server Express 2012

During the SQL Server installation specify the existing domain account (the password length is less than 14 symbols) to run it.
sql server service account
Use the gsecdump utility to extract passwords.
Run PowerShell as administrator and run the command:

1
gsecdump-v2b5.exe -l

The result is:
gsecdump-v2b5 get sql service password throught LSA

What is Managed Service Accounts

The Managed Service Accounts (MSA) mechanism has been developed as the protection from such attacks in Windows Server 2008 R2.
Managed Service Accounts are managed accounts in a domain that provide automatic password management and simplified management of the participant service names including delegating control to other administrators.
Advantages of Managed Service Accounts

  • An automatic password change. By default a password is changed every 30 days
  • A complex password. A complex, automatically generated password consisting of 240 random symbols (the first half includes English letters, the second half — numerals and other symbols)
  • No superfluous rights
  • An opportunity to use one MSA on several servers (gMSA) in case when all service instances should use a single subject, e.g., for using in NLB
  • SPN Management

Automatic update of the SPN after the renaming

  • server account
  • dnshostname property of the server account
  • changing addition-aldnshostname property of the server account
  • changing additionalsam-accountname property of the server account

Services that support MSA:

  • IIS
  • AD LDS
  • SQL Server 2008 R2 SP1, 2012
  • MS Exchange 2010, 2013

MSA Requirements

  • Domain and forest level – Windows Server 2008 R2
  • Windows Server 2008 R2, Windows 7 (Professional, Enterprise, Ultimate) and above
  • .Net Framework 3.5x
  • Active Directory administration module for PowerShell
  • The installed patch KB2494158

If a forest and a domain don’t have the 2008 R2 (MSA) and 2012 (gMSA) levels, you have to increase the forest level using the command:

1
adprep /forestprep

And increase the domain level using the command:

1
adprep /domainprep

in each domain, in which you have to create and use managed service accounts.

How to Enable MSA in PowerShell

  1. Run the cmdlet:
    1
    
    Import-Module ActiveDirectory
  2. To create an MSA account, you have to run the cmdlet:
    1
    
    New-ADServiceAccount serviceaccount –RestrictToSingleComputer

    where serviceaccount is the name of the MSA account
    The parameter RestrictToSingleComputer means that MSA will be linked only to a single server. You can go to Active Directory Users and Computers and make sure that MSA has been created (for the section Managed Service Accounts to appear, you have to enable Advanced Features in the View menu of the AD snap-in).
    Active Directory OU -  Managed Service Accounts

  3. To link MSA to the server, run the cmdlet:
    1
    
    Add-ADComputerServiceAccount -Identity server -ServiceAccount serviceaccount

    where server is the name of the server which is associated with MSA
    serviceaccount is the name of the MSA
    To check if the operation has succeeded, go to Active Directory Users and Computers, then move to the server properties and check msDS-HostServiceAccount attribute
    link msa account with windows server

  4. Install the managed service account on the local computer
    You have to run the cmdlet:

    1
    
    Install-ADServiceAccount -Identity serviceaccount

    where serviceaccount is the name of the MSA

  5. Test the MSA (Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2)
    Run the cmdlet:

    1
    
    Test-ADServiceAccount serviceaccount

    where serviceaccount is the name of the MSA
    It returns the value True or False

  6. Set to run Windows service as MSA and restart the service.
    Don’t forget to put ‘$‘ at the end of the MSA name
    The field Password should be left empty.
    run sql service with msa

Let’s check the service account password using the gsecdump utility
gsecdump can't get msa password

Group Managed Service Accounts in Windows Server 2012

In Windows Server 2012 there appeared Group Managed Service Accounts (gMSA). They allow to link a managed account not to a single server, but to several of them.
It can become necessary, for example, in Network Load Balancing or Windows cluster.

Requirements:

  • Schema level – Windows Server 2012
  • Windows Server 2012 (R2) domain controller running Microsoft Key Distribution Service
  • Windows Server 2012, 2012 R2, 8, 8.1
  • Active Directory administration module for PowerShell

How to Enable gMSA in PowerShell

  1. Make sure that Microsoft Key Distribution Service is on “Microsoft Key Distribution Service uses a shared secret to generate account keys. These keys are changed from time to time. Along the other attributes of the Group Managed Service Accounts the Windows Server 2012 domain controller gets a password for a key provided by key distribution services. By addressing to the Windows Server 2012 domain controller Windows Server 2012 and Windows 8 hosts can get a current and a previous passwords.”
  2. Create a Root Key
    Root Key can be created with the cmdlet:

    1
    
    Add-KdsRootKey

    To create a new Root Key, run the following cmdlet:

    1
    
    Add-KdsRootKey –EffectiveImmediately

    In this case the key will be available in 10 hours, until replicated.
    You can also run a cmdlet:

    1
    
    Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

    Then the key will become available immediately (10 hours of work are saved)

  3. Create gMSA
    Run the cmdlet:

    1
    
    New-ADServiceAccount serviceaccount -DNSHostName tst.test.com –PrincipalsAllowedToRetrieveManagedPassword $test

    where serviceaccount is the name of the gMSA
    tst.test.com is the name of the server, on which a Root Key has been created
    $test is the name of the server that can address KDS to get dataYou can go to Active Directory Users and Computers and make sure that gMSA has been created (for the section Managed Service Accounts to appear, you have to enable Advanced Features in the View menu of the AD snap-in).
    windows-server-2012-gMSA

  4. Install the managed service account on the local computer
    You have to run the cmdlet:

    1
    
    Install-ADServiceAccount -Identity serviceaccount

    where serviceaccount is the name of the gMSA

  5. Test the gMSA (Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2)
    Run the cmdlet:

    1
    
    Test-ADServiceAccount serviceaccount

    where serviceaccount is the name of the gMSA
    It returns the value True or False

  6. Set to run Windows service as gMSA and restart the service.
    Don’t forget to put ‘$’ at the end of the gMSA name
    The field Password should be left empty.
    run sql service with msa

Let’s check the service account password using the gsecdump utility
check service account password

MSA/gMSA can be uninstalled using the cmdlet Uninstall-ADServiceAccount

You can set MSA/gMSA parameters with the cmdlet Set-ADServiceAccount
Set the interval of password change:

1
Set-ADServiceAccount serviceaccount -ManagedPasswordIntervalInDays 60

where serviceaccount is the name of the gMSA
60 is a period of time, after which the password will be changed
Set Kerberos encryption algorithms to be used by MSA
Variants: RC4, AES128, AES256

1
Set-ADServiceAccount serviceaccount -KerberosEncryptionType RC4, AES128, AES256

Set SPN

1
Set-ADServiceAccount serviceaccount -ServicePrincipalNames @{Add=«added SPN»}

Set NetBIOS name of the service (SAMAccountName)
If it is not set, an ID Name is used
If it is set, the display name in AD will be from Name and the login ID will be from SAMAccountName

1
Set-ADServiceAccount serviceaccount –SamAccountName test

MSA is great way to improve the network security.

Previous:
Next:
Related Articles