You can also get this from the sc.exe command - start from sc <machinename>
query to get the list of services, then follow that up to get the start
name. It's also a fairly easy C programming project - open the service
control manager, enumerate the services, then see which are running as
something other than localsystem, etc. Any good network auditing tool should
do this - I put it in the Internet Scanner almost 10 years ago.
Some additional pieces of information are needed - first would be to see if
the service is running. Sometimes they'll be stopped with stale passwords.
Next is to see if it is a domain account - lots of things make local
accounts for services, and I'd assume you're not really concerned about
these.
Lastly, and this is a good trick I've been keeping to myself for quite some
time, in order to find out when was the last time the account logged on to
that system, check the write time and date on the
HKLM\Software\Microsoft\Windows NT\ProfileList\[user's SID] key. Prior to
Windows 2003, this was accessible as auth user, now it takes admin to read
it remotely. I'm not sure if the last write time on a reg key is available
using anything other than the Windows API calls. Any account that logs on
locally, including services, will update the write time on the key for their
account. A nice side-effect is that you can get the up time on the services
in question, since every time they restart, a logon is performed. I once had
someone pushing back on a password change policy for services, complaining
it would hurt his up time, so I checked and found out that only 2% of his
systems actually went that long without a restart, so security won that
round.
Understanding who logs on as a service, and where, is really critical to
securing the overall network. Anyone with admin credentials could hijack the
service, and perform tasks using the service account. Thus you should not
have services running under high level domain accounts, unless you're
prepared to treat that system as being as critical to security as the domain
controllers.
Hope this helps...
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Talkovic, Scott A.
Sent: Tuesday, April 03, 2007 10:53 AM
To: Biassoni Riccardo; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Discovering Active Direcory shared or Service users account
Here's a quick way to find non-standard service accounts that are
actually used:
Loop through each computer with the following command, replacing %1 with
the name of the computer.
C:\>wmic /node:%1 service where (not StartName like "LocalSystem" and
not StartName like "%%NetworkService%%" and not StartName like
"%%LocalService%%") get Name, Caption, StartMode, StartName, Started
This might be more effective because, as James noted, service accounts
look just like regular user accounts in Active Directory.
There might be better ways other than this.
Scott
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Biassoni Riccardo
Sent: Tuesday, April 03, 2007 7:25 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Discovering Active Direcory shared or Service users account
Hi All,
Is there a way to discover Active Directory "Shared" user account or
"Service" users Account for auditing purpose?
I have domain admin privileges and local access to my domain
controllers.
query to get the list of services, then follow that up to get the start
name. It's also a fairly easy C programming project - open the service
control manager, enumerate the services, then see which are running as
something other than localsystem, etc. Any good network auditing tool should
do this - I put it in the Internet Scanner almost 10 years ago.
Some additional pieces of information are needed - first would be to see if
the service is running. Sometimes they'll be stopped with stale passwords.
Next is to see if it is a domain account - lots of things make local
accounts for services, and I'd assume you're not really concerned about
these.
Lastly, and this is a good trick I've been keeping to myself for quite some
time, in order to find out when was the last time the account logged on to
that system, check the write time and date on the
HKLM\Software\Microsoft\Windows NT\ProfileList\[user's SID] key. Prior to
Windows 2003, this was accessible as auth user, now it takes admin to read
it remotely. I'm not sure if the last write time on a reg key is available
using anything other than the Windows API calls. Any account that logs on
locally, including services, will update the write time on the key for their
account. A nice side-effect is that you can get the up time on the services
in question, since every time they restart, a logon is performed. I once had
someone pushing back on a password change policy for services, complaining
it would hurt his up time, so I checked and found out that only 2% of his
systems actually went that long without a restart, so security won that
round.
Understanding who logs on as a service, and where, is really critical to
securing the overall network. Anyone with admin credentials could hijack the
service, and perform tasks using the service account. Thus you should not
have services running under high level domain accounts, unless you're
prepared to treat that system as being as critical to security as the domain
controllers.
Hope this helps...
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Talkovic, Scott A.
Sent: Tuesday, April 03, 2007 10:53 AM
To: Biassoni Riccardo; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Discovering Active Direcory shared or Service users account
Here's a quick way to find non-standard service accounts that are
actually used:
Loop through each computer with the following command, replacing %1 with
the name of the computer.
C:\>wmic /node:%1 service where (not StartName like "LocalSystem" and
not StartName like "%%NetworkService%%" and not StartName like
"%%LocalService%%") get Name, Caption, StartMode, StartName, Started
This might be more effective because, as James noted, service accounts
look just like regular user accounts in Active Directory.
There might be better ways other than this.
Scott
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Biassoni Riccardo
Sent: Tuesday, April 03, 2007 7:25 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Discovering Active Direcory shared or Service users account
Hi All,
Is there a way to discover Active Directory "Shared" user account or
"Service" users Account for auditing purpose?
I have domain admin privileges and local access to my domain
controllers.
Best regards
Tich
[ reply ]