One of the security challenges for critical network applications such as Exchange and IIS is selecting the appropriate type of account for the application to use.
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
What's new in service accounts?
Two new types of service account available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and Internet Information Services (IIS) with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
Virtual accounts in Windows Server 2008 R2 and Windows7 are “managed local accounts” that can use a computer’s credentials to access network resources.
Who will want to use managed service accounts?
The managed service account and the virtual account are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Administrators will want to use managed service accounts to enhance security while simplifying or eliminating the following service administration tasks:
· Password management
· SPN management
Virtual accounts provide the following features that simplify service administration by:
· Eliminating password management
· Allowing services to access the network with the computer’s account credentials in a domain environment
What are the benefits of new managed service accounts?
In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
· Managed service accounts allow administrators to create a class of domain accounts that can be used to manage and maintain services on local computers.
· Unlike with regular domain accounts, the network passwords for these accounts will be reset automatically, freeing the administrator from having to reset these passwords manually.
· Unlike with normal local computer and user accounts, the administrator does not have to complete complex SPN management tasks to use managed service accounts.
· Administrative tasks for managed service accounts can be delegated to non-administrators.
What's the impact of these changes on account management?
Managed service accounts can reduce the amount of account management needed for critical services and applications.
Are there any special considerations for using the new service account options?
To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7. In Windows Server 2008 R2 and Windows 7, one managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers and cannot be used in server clusters where a service is replicated on multiple cluster nodes.
Windows Server 2008 R2 domains provide native support for both automatic password management and SPN management. If the domain is running in Windows Server 2003 mode or Windows Server 2008 mode, additional configuration steps will be needed to support managed service accounts. This means that:
· If the domain controller is running Windows Server 2008 R2 and the schema has been upgraded to support managed service accounts, both automatic password and SPN management are available.
· If the domain controller is on a computer running Windows Server 2008 or Windows Server 2003 and the Active Directory schema has been upgraded to support this feature, managed service accounts can be used and service account passwords will be managed automatically. However, the domain administrator using these server operating systems will still need to manually configure SPN data for managed service accounts.
To use managed service accounts in Windows Server 2008, Windows Server 2003, or mixed-mode domain environments, the following schema changes must be applied:
· The service account schema must be applied at the forest level.
· The schema must be changed at the domain level to create the default Managed Service Account container.
For more information, see Extending the Schema.
For more information about managing SPNs, see Service Principal Names.
Posts
