Service Accounts in Active Directory: These OG NHIs Could Be Your Weakest Link

Source: Tenable Blog

Author: Sonya Wilcox

URL: https://www.tenable.com/blog/service-accounts-in-active-directory-these-og-nhis-could-be-your-weakest-link

ONE SENTENCE SUMMARY:

Securing Active Directory service accounts by fixing common misconfigurations can significantly reduce risk from non-human identities in IT environments.

MAIN POINTS:

1. Non-human identities (NHIs) are crucial in identity management, often overpermissioned and under-secured.
2. NHIs include service accounts, API keys, OAuth tokens, and cloud workloads.
3. Active Directory service accounts are critical and often misconfigured, posing significant security risks.
4. Kerberoasting exploits Kerberos to harvest password hashes from accounts with SPNs.
5. Unconstrained Kerberos delegation allows servers to impersonate users, risking credential theft.
6. Managed Service Accounts (MSAs) offer secure management but require proper configuration.
7. Remediating Kerberoastable accounts involves using unprivileged or group managed service accounts.
8. Delegation settings should ideally have “Do not trust this computer for delegation” enabled.
9. Regularly cleaning up and managing NHIs is crucial for maintaining cyber hygiene.
10. Solutions like Tenable can help identify and remediate NHI vulnerabilities in Active Directory.

TAKEAWAYS:

1. Secure and regularly monitor service accounts to prevent overscoping and overpermissioning.
2. Address Kerberoastable accounts by using stronger encryption and unprivileged accounts.
3. Properly configure unconstrained delegation to avoid potential credential theft.
4. Leverage solutions like Tenable for visibility into misconfigurations and attack paths.
5. Make NHI management part of routine cybersecurity practices to mitigate risks effectively.