Understanding Managed Service Accounts in Windows for Enhanced Cybersecurity

By /

Listen to this Post

In Windows, automated accounts are known as “Managed Service Accounts” and can be denoted by a dollar sign at the end. For instance, if there’s an IIS service running on the machine, it would behoove the security administrator to run the instance as a user named IIS-Runner$ or even the classic www-data$. This is because most of the actions performed by this account will be automated, making security audits, EDR logging, and many other actions much easier to understand.

You Should Know:

1. Creating a Managed Service Account (MSA):

New-ADServiceAccount -Name "IIS-Runner$" -Enabled $true

This command creates a new Managed Service Account named “IIS-Runner$”.

2. Installing the MSA on a Computer:

Install-ADServiceAccount -Identity "IIS-Runner$"

This command installs the MSA on the local machine.

3. Configuring a Service to Use the MSA:

sc.exe config "IISService" obj= "DOMAIN\IIS-Runner$" password= ""

This command configures the IIS service to use the MSA.

4. Verifying the MSA:

Test-ADServiceAccount -Identity "IIS-Runner$"

This command verifies that the MSA is correctly configured.

5. Auditing MSA Activities:

Get-WinEvent -LogName "Security" | Where-Object { $_.Message -like "*IIS-Runner$*" }

This command retrieves security logs related to the MSA.

6. Disabling an MSA:

Disable-ADServiceAccount -Identity "IIS-Runner$"

This command disables the MSA.

7. Removing an MSA:

Remove-ADServiceAccount -Identity "IIS-Runner$"

This command removes the MSA from Active Directory.

What Undercode Say:

Managed Service Accounts (MSAs) in Windows provide a secure and efficient way to manage automated accounts, particularly for services like IIS. By using MSAs, security administrators can streamline security audits, enhance EDR logging, and improve overall system security. The PowerShell commands provided above offer a practical guide to creating, configuring, and managing MSAs, ensuring that your Windows environment remains secure and well-audited. For further reading, you can refer to the Microsoft Documentation on Managed Service Accounts.

References:

Reported By: Sam Williams1 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: