Service accounts – discover, manage and authenticate without secrets
Service Accounts - automated discovery, Machine to Machine (M2M) authentication and more - updated September 2024
Service accounts are special user accounts specifically created and used by Windows services or processes to run tasks or applications in the background. These accounts are distinct from regular user accounts and are designed to provide the necessary permissions and privileges for the smooth operation of services without requiring user interaction.
AuthNull’s upgraded service accounts feature can discover service accounts in Acive Directory, Windows Endpoints and Linux Endpoints.
Why are service accounts used?
Background Processes Service accounts are used to execute background processes or services that don’t require direct user interaction.
Automation They facilitate the automation of system tasks, enabling services to run independently without manual intervention. These are specific to Machine to machine authentication and authorization that typically happens with shared SSH keys which are typically available for each service account to use.
Solving the problem of managing service accounts
Service accounts typically use passwords (shared secrets) or SSH Keys to authenticate. This is a problem because these password credentials can’t be easily vaulted and managed. By manage – we refer to the rotation that is typically applied to organizations
AuthNull’s service account includes:
1. Automated Discovery of Service accounts
Automated discovery of all service accounts on Active Directory, and local service accounts on Windows and Linux endpoints.
2. Service account policies
Provision zero trust service account policies that enable Passwordless machine to machine authentication – no SSH Keys, shared secrets, passwords necessary. These policies eliminate the need to maintain passwords, and have password rotations.
With service account policies in effect, administrators can enforce protection, enable machine to machine authentication and audit all actions which are captured and relayed via audit logs.
3. Machine to Machine Authentication without any Passwords, and SSH Keys
AuthNull supports passwordless authentication of service accounts. How does this work? The detailed video below showcases service account authentication including edge cases when users are
How does M2M authentication work?
Step #1 - Creation of policies and Generation of claims
Admin creates a service account policy. AuthNull assigns a Passwordless credential for each of the service account credential policy which is then sent to an admin wallet. This is originally signed by the organization’s private key signifying that the organization has issued the credentials and forms the first root of trust.
Step #2 - Delegation of trust through Zero knowledge proof claims hash
A user to whom the policy was assigned receives the credential in their wallet. Because this is a machine to machine credential, it is hashed by signing the credential using the users’s private key, and the wallet automatically delegates the trust as a hash. This hash is written in the DB, and subsequently written to a blockchain on an address that is immutable. This blockchain hash, and its address serves as a Zero Knowledge Proof (ZKP) claim that is used for machine to machine authentication.
The claim is held by the bastion and act as a group of servers that replace a secrets vault.
Step #3 - Machine to machine authethentication and verification of claims
AuthNull intercepts SSH auth from host A to host B using the given service account user. AuthNull verifies the identity of the user from active directory, and , verifies such a policy exists. AuthNull looks up the blockchain address of the policy, along with the hash stored in its db, and compares it to the hash generated and stored in the blockchain. If those two hashes match, authentication for the given service account user is allowed through without having to exchange a password, or SSH key.
AuthNull’s passwordless authentication is supported for Linux / SSH only at the moment using local service accounts, or Active Directory service accounts. Authentication options for windows is coming soon.
High level design overview
How does AuthNull enable passwordless Authentication, and how does it prevent privileged users from interactively logging into Host 2 from Host 1 using the passwordless credential
At a high level - Machine to machine authethentication is verified using immutable blockchain hashes which are stored on a blockchain address (example Ethereum). There’s a cost to write these transactions and reads are generally free.
These hashes were generated out of verified credentials that were assigned to specific users as a part of a machine to machine authentication policy. Since Machine to machine involves no interactive user approvals, a Zero Knowledge Proof system is used for credential verification. The address of the blockchain, as well as the final hash value is also stored in the mapping database (within AuthNull). However without a counter verification from the external immutable ledger - in this case Ethereum blockchain - the authentication will fail.
This system design has failsafe mechanisms to understand if an interactive user is triggering the authentication. If that is the case, the system defaults to an interactive authentication with the request going to the owner of the policy user’s wallet asking for permission to authenticate.
Summary of Service account, and machine to machine (M2M) authentication without secrets, or SSH Keys
AuthNull’s service account feature is an extremely powerful feature that enables organizations to deliver passwordless machine to machine authentication. It comes with certain key advantages:
Reduce attack surface by removing shared secrets , passwords or SSH Keys: AuthNull eliminates the need to use passwords, SSH Keys or shared secrets to be able to enable M2M authentication.
Implement least privilege AuthNull’s service account policies enable you to deliver least privilege based M2M authentication.
Discover and eliminate service account blindspots Whether you use a Windows environment or Linux environment, AuthNull’s service account features enable you to discover and eliminate service account blindspots.
Reduce operational overhead The removal of the need to maintain and rotate passwords and SSH keys vastly reduces operational overhead.