Q: What are MSAs and virtual accounts and how can they complement service-specific SIDs?
The combination of MSAs or virtual accounts and service-specific SIDs provides the best least-privilege configuration option for a Windows service.
June 13, 2012
A: Managed service accounts (MSAs) and virtual accounts,which Microsoft introduced in Windows 7 and Windows Server 2008R2, overcome the password management problems you'll encounterif you use a custom domain or local account for authenticating aservice. By using a custom account, you can better isolate theprivileges of an application -- which isn't the case when youuse one of the built-in high-privilege local accounts (i.e.,Local System, Local Service, Network Service) as the serviceaccount.
But unlike these built-in local accounts, custom accountsdon't have automatic password management. Therefore, when youuse custom service accounts, you need to manually manage theirpasswords or create a custom solution for managing them. MSAsand virtual accounts resolve this problem by providing automaticpassword management.
MSAs are domain accounts and virtual accounts are localaccounts. Besides automated password management, MSAs alsoprovide simplified Service Principal Name (SPN) management.Services that run with virtual accounts can access networkresources by using the identity and credentials of the localcomputer account.
The combination of MSAs or virtual accounts and service-specific SIDs provides the best least-privilege configurationoption for a Windows service. MSAs and virtual accounts are thebest least-privilege option for authenticating a service, andservice-specific SIDs are the best least-privilege option forauthorizing a service.
To use MSAs or virtual accounts, the client computer on whichthe application or service is installed must be running Server2008 R2 or Windows 7. To ensure automatic MSA passwordmanagement on a Windows domain controller (DC), your ActiveDirectory (AD) schema must have been updated to Server 2008R2.
There's no UI support for creating and managing MSAs. Toconfigure and manage MSA for a service, you must use WindowsPowerShell cmdlets. To have PowerShell support for creating MSAsin AD, you must install the .NET Framework and the AD module forPowerShell. To import the AD module for PowerShell, you use theImport-Module cmdlet as follows:
Import-Module ActiveDirectory
Setting up an MSA for a service requires four configurationsteps. The first two steps affect AD for your domain; the lasttwo steps are done against the domain machine where the serviceusing the MSA will actually run.
To create a new MSA in AD, use the New-ADServiceAccountcmdlet, as follows:
New-ADServiceAccount -name newMSA -enabled $true
where newMSA is the name of the new MSA you create. You canthen link the newly created MSA to the AD machine account of themachine where the service is installed. Note that an MSA can belinked to only a single machine that is a domain member and thatruns Server 2008 R2, Windows 7, or a later Windows OS. To do so,you must use the Add-ADComputerServiceAccount cmdlet, asfollows:
Add-ADComputerServiceAccount -identity myservicemachine -serviceaccount newMSA
where myservicemachine is the machine account name of theservice machine. The service administrator must then install theMSA on the service machine. To do this, you must be a member ofthe local administrators group on the service machine and usethe Install-ADServiceAccount cmdlet, as follows:
Install-ADServiceAccount -identity newMSA
Finally, you must configure the service or application toactually use the MSA for authentication. This step can be donein the service's properties that you can access from theMicrosoft Management Console (MMC) Services snap-in. On the LogOn tab, click This account and enter the MSA in the formatdomainnameaccountname$. For the above example, you would usemydomainewMSA$ (make sure you append a dollar sign at theend!). Leave the password fields blank.
Setting up a service to use a virtual account forauthentication is much simpler. In this case, you can gostraight to the MMC Services snap-in and configure the localvirtual account by using the This account option on the Log Ontab of the Service properties. Enter the virtual account in theformat NT SERVICE -- where is theactual name of the service. Again, leave the password fieldsblank.
You can find more details about MSAs and virtual accounts andhow to manage and configure them in the Microsoft TechNetarticle "Service Accounts Step-by-Step Guide."
About the Author
You May Also Like