Rotating Domain Passwords used for Services

Any services that run in a Windows environment have an associated Log On account that is used to start this service.

When this account is a Domain Account and the associated password is changed, you need to ensure that the new password is also updated in the service configuration on every endpoint where it is used or else the service will fail to properly start.

Services-Logon-Failure

With PAM, Domain Accounts can be easily managed which allows for automated password rotations using extremely complex and randomized strings.

Once this managed password is reset, PAM will then process each included endpoint where this Domain Account is being used as a Log On service account and also update the service with this new password.

Once setup, this process is entirely automated so you can schedule the operation to take place as often as required or needed.

 

The remaining portion of this article will describe how to properly setup this process.

We will outline the entire process including several steps that may be optional in your deployments.

Although the inclusion of all steps will make the page longer, it will accurately detail all possible scenarios in order to present the full picture.

Setup

First, we will create a new Folder (or Vault) Domain Service Account Management to more easily organize all the components.

This step is optional, but we would recommend creating a container per Domain Account that you would like to manage for this scenario.

 

Our folder will contain the following records:

  1. Domain Administration account to be used as the Shadow Account for the password reset.
    • This record will be created using the type Active Directory User and will contain the credentials for a Domain Administrator. This will be used as the Shadow Account to rotate the password on the Domain Service Account.

    • If the Domain Account can change its own password, this record is not required. We use the Domain Admin as the shadow account in our example to eliminate any possible security issues in AD.

  2. Domain Account that is the account that is the Service Log On As account.

    • This record will be created using the type Active Directory User and will contain the credentials of the Domain Service Account.

  3. A Windows Host that will be used to reset the password of the Domain Account.

    • This record will be created using the type Windows Host and will be used as the host where the Domain Service Account password will be reset.

    • If you are using the Password Reset LDAP task on the Domain Account record, then this record is not needed. We are using a separate Windows Host record in our scenario to further illustrate the entire process but understand that its inclusion is optional.

  4. A Windows Host record for each endpoint that contains a Service that is configured with the Domain Account. Our example will contain two Windows Host records, but your scenario may contain more or less.

If you are unsure or do not want to manually create records for each Windows Host, you can use the Discovery feature to automatically create records where a Service is found using this account. Please review the Discovery article for additional information and make note of the parameter Auto-Import Filter located in the Auto-Import section to implement this feature.

DomainServiceAccount-Folder

Step by Step Configuration Example

  1. Login to PAM with a System Administrator account.
  2. Navigate to Administration > Scripts and click the Create button
  3. For this new script, enter the following values:
    • Script Name: Password Reset Remote Windows Trigger (or a name of your choosing)

    • Description: Windows password reset script that also triggers update on dependent service accounts (or a description of your choosing)

    • Job Execution Strategy: Windows Remote

    • Custom Code (Powershell):

      Copy
      $${ResetPassword}
      #XTAM TRIGGER REF Windows Remote Reset Dependent Services
    • DomainServiceAccount-NewScript
  4. Click Save to complete the creation of this new script.

  5. Navigate to Records > All Records and determine a parent location to create your new folder.

  6. In this parent create a new folder named Domain Service Account Management.

  7. In this folder create a new Active Directory User record named Domain Admin and input your AD Domain Administrator credentials.

  8. In this folder create a new Active Directory User record named Domain Service Account and input your AD Domain Service Account credentials.

  9. In this folder create a new Windows Host record and enter the following values:

    • Name: Windows Host used for Password Reset (or a name of your choosing)

    • Description: The Domain Service Account password will be changed using this Windows Host (or a description of your choosing)

    • Reference Record: select your Domain Service Account record created in step 8.

    • Host: your host name

    • Port: your host’s port

      DomainServiceAccount-WindowsHost-Edit

  10. Open the record’s Task menu by selecting Manage > Tasks and click the Make Unique button.

  11. Now click the Add Task button to configure the new task for this record.

  12. On the Add Task page, select your new script from step 3 Password Reset Remote Windows Trigger and then choose at least one Event. We will select the On Demand event, but you may decide to use one of the automated options.

  13. Click the Save button to complete the configuration.

  14. Back on this record’s Task page, in the Shadow Account field, select your Domain Admin record from step 7 and again click the Save button to complete the configuration.

    DomainServiceAccount-WindowsHost-Task

  15. Return to your new folder and create a new Windows Host record for the host that contains a service configured with your Domain Service Account as a Log On As account. For the record, be sure the following is configured:

    • Reference Record: select your Domain Service Account record created in step 8.

    • Shadow Account (for the Tasks): select your Domain Admin record created in step 7.

    • Script: select the default Script Windows Remote Reset Dependent Services with the Event On Demand.DomainServiceAccount-WindowsHostDependent-Task

  16. Ensure everything is saved between each step and repeat step 15 for each new endpoint that you wish to add.

    Please note that you can setup this task on the Record Type itself and take advantage of task inheritance so you do not have to repeat some steps for each record.

    That completes the configuration.

    Please continue to the next section to understand how this can be triggered and how the process flows from initiation to success completion of each task.

Process Flow

The following summarizes how to initiate the process (manually) and what happens when it is triggered.

  • To initiate the process manually, execute the task Password Reset Remote Windows Trigger on your record Windows Host user for Password Reset.
  • PAM will use the Shadow Account on this host to reset the password of the Domain Service Account.
  • When the password is reset successfully, PAM then executes the trigger #XTAM TRIGGER REF Windows Remote Reset Dependent Services that is contained in your new script. This trigger specifically looks for all records that contains the Reference Record of your Domain Service Account.
  • On these found records, PAM will now schedule each record’s associated task Windows Remote Reset Dependent Services. This task is designed to connect to the specified host, find each service that has the Log On As account defined in its User field and update it with the new password. Because this User and Password are referenced back to the original, it will always contain the most recent password.
  • Finally, the PAM Job Engine will process all dependent records and create a Job History entry for each. These Job History events will detail the successfully completion of the task and list all the services (by Name) that were updated.

DomainServiceAccount-JobHistory-Outline