Post

Service accounts – discover, manage and authenticate without secrets

Service accounts are operational blind spots for IT administrators

In the context of Windows operating systems, service accounts are special user accounts specifically created and used by Windows services or processes to run tasks or applications in the background. These accounts are distinct from regular user accounts and are designed to provide the necessary permissions and privileges for the smooth operation of services without requiring user interaction.

In Linux operating systems, service accounts are user accounts created specifically for the purpose of running services, daemons, or background processes. These accounts are distinct from regular user accounts and are tailored to provide the necessary privileges and access rights for the efficient and secure execution of specific system services. Here are some key aspects to understand about service accounts in the context of Linux:

Why are service accounts used?

Background ProcessesService accounts are used to execute background processes or services that don’t require direct user interaction.

AutomationThey facilitate the automation of system tasks, enabling services to run independently without manual intervention. These are specific to Machine to machine authentication and authorization that typically happens with shared SSH keys which are typically available for each service account to use. Solving the problem of managing service accounts Service accounts typically use passwords (shared secrets) or SSH Keys to authenticate. This is a problem because these password credentials can’t be easily vaulted and managed. By manage – we refer to the rotation that is typically applied to organizations

AuthNull’s service account feature includes the following

Automated Discovery

Automated discovery of all service accounts on Windows and Linux OSes. Discover accounts that are being shared by both human users and services.

Service account policies

Provision zero trust service account policies that enable Passwordless machine to machine authentication – no SSH Keys, shared secrets, passwords necessary. These policies eliminate the need to maintain passwords, and have password rotations.

Enforce protection and audit everything

With service account policies in effect, administrators can enforce protection, enable machine to machine authentication and audit all actions which are captured and relayed via audit logs.

Service account authentication without secrets or SSH Keys

AuthNull supports passwordless authentication of service accounts. How does this work?

Generation of claims

  1. Admin creates a service account policy. AuthNull assigns a Passwordless credential for each of the service account credential policy which is then sent to an admin wallet. This is originally signed by the organization’s private key

  2. An admin signs the claim using his private key. It requires two key pairs (org and admin). The admin can then generate a signed claim and delegate it to multiple sets of bastion hosts (pairs of two). This is a simple process which pops up on the admin phone.

  3. The claim is held by the bastion and act as a group of servers that replace a secrets vault.

Verification of claims

  1. Source host connects to target host using SSH

  2. AuthNull intercepts SSH auth, verifies such a policy exists and searches for the claims. AuthNull picks up claims from bastion host. and verifies it (using a blockchain or by using public keys of issuer - organization and the user it was supposed to be assigned to).

  3. When claim is verified, Authentication is allowed through, without a single stored password or secrets anywhere.

AuthNull’s passwordless authentication is supported for Linux only at the moment. Authentication options for windows is coming soon.

Service account (m2m) authentication without secrets, or SSH Keys

Reduce attack surface by removing shared secrets , passwords or SSH Keys: AuthNull eliminates the need to use passwords, SSH Keys or shared secrets to be able to enable M2M authentication.

Implement least privilege AuthNull’s service account policies enable you to deliver least privilege based M2M authentication.

Discover and eliminate service account blindspots Whether you use a Windows environment or Linux environment, AuthNull’s service account features enable you to discover and eliminate service account blindspots.

Reduce operational overhead The removal of the need to maintain and rotate passwords and SSH keys vastly reduces operational overhead.

This post is licensed under CC BY 4.0 by the author.