Group Managed Service Accounts (gMSA) were introduced in Windows Server 2016 and can be leveraged on Windows Server 2012 and above. gMSAs offer a more secure way to run automated tasks, services, and applications. How are gMSAs more secure you ask? Well, their passwords are completely handled by Windows. gMSA passwords are randomly generated, automatically rotated, and not required to be known by any user. The service accounts themselves are ‘installed’ on the server that is to be querying the password information from Active Directory at run time. This means that an end-user does not need to worry about updating the password in an application at the time of rotation. Unlike normal user accounts being used as service accounts, which in my experience seem to always have password ages of 10 or so years, these will not be susceptible to brute force attacks or bad password policies and hygiene.
The usage of gMSAs involves a computer account in Active Directory (the one where the gMSA is installed) being able to query the password information when the account is to be leveraged. The gMSAs are a specific object type in Active Directory, msDS-GroupManagedServiceAccount. These objects have special attributes associated with them related to their password and its rotation. The most important one being the msDS-ManagedPassword attribute. This attribute contains a BLOB with the current password information for the account. Similar to LAPS, you’ll want to ensure this attribute, and others are locked down to only the Active Directory objects that need access to it. I’ll cover all of the attributes and potential threats and attacks associated with gMSAs in a future post.
Fortunately, in the next release of StealthAUDIT, due out later this year (2020), we’ll allow for the usage of gMSAs for both connection profiles and scheduled service accounts. I’ll be writing another blog on more in-depth issues and concerns related to gMSAs in the coming weeks, as well as how some of our tools can help assist with the detection and prevention of these threats.
Kevin Joyce is a Senior Technical Product Manager at Stealthbits – now part of Netwrix. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.