Audited a clients service accounts today. One of them hasn't had a password change since 2012.
Posted by hardeningbrief@reddit | sysadmin | View on Reddit | 34 comments
Ran a quick audit this week looking for Kerberoastable accounts at one of our clients and (as always) found several. One had a last password change date of June 2012.
The service was still running but nobody touched it in over a decade.
This is more common than it should be. Service accounts get set up once, given a password someone typed in a hurry, and then forgotten completely. They're not in any rotation policy and nobody thinks about them until something breaks.
The problem isn't just weak passwords either. Any authenticated domain user can request a Kerberos service ticket for an account with a SPN. That ticket is encrypted with the account's password hash. If the password is weak and hasn't changed since 2019, an attacker pulls the ticket offline and cracks it with Hashcat in under an hour. Especially if it's encrypted with RC4. No lockout, no logs on the account and zero noise.
Once it's cracked, they own whatever that service account has access to. In a lot of environments that's SQL, backup agents! (this one's huge) and Exchange. Sometimes it's Domain Admin because someone thought it was easier at the time.
gMSA fixes this.
The password becomes 240 bytes of random data, so 120 chars, rotated every 30 days, and no human ever sees it in plaintext. There's nothing to crack because the entropy is completely unrealistic to brute force.
Setup is actually straightforward:
One-time per domain:
Add-KdsRootKey -EffectiveImmediately
Wait 10 hours for replication. (-EffectiveImmediately doesn't do what you think it might do.)
Create the account:
New-ADServiceAccount -Name "svc_yourservice" `
-DNSHostName "svc_yourservice.yourdomain.com" `
-PrincipalsAllowedToRetrieveManagedPassword "SERVER01$"
Install on the target server:
Install-ADServiceAccount -Identity "svc_yourservice"
Test-ADServiceAccount "svc_yourservice"
If Test-ADServiceAccount returns "True", you're done. If it returns "False", the computer account probably isn't in PrincipalsAllowedToRetrieveManagedPassword. Fix that, run klist purge, gpupdate /force, test again.
Assign it in services.msc by entering YOURDOMAIN\svc_yourservice$ on the Log On tab. Leave the password field empty.
Limitations worth knowing before you start:
- Only works for Windows services, IIS app pools, and Scheduled Tasks
- Anything that requires a password typed into a config file won't work
- SQL Server 2014+ supports it. Exchange on-prem has limited support so check before migrating
- Scheduled tasks need to be configured via
schtasksfrom the command line, not the GUI
For detection while you're still migrating: enable Audit Kerberos Service Ticket Operations on your DCs and watch for Event ID 4769 with Ticket Encryption Type 0x17. In a modern environment almost everything should be AES. RC4 requests against accounts with SPNs are Kerberoast traffic.
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable
If you're on Defender for Identity, alert ID 2410 covers this.
Thirty minutes per service to migrate. Free and no reboot required :)
Worth doing before someone else finds your service accounts first.
TimePlankton3171@reddit
If the password is good (long and unique) then age doesn't matter. If it's not good, age doesn't save it.
raip@reddit
Not entirely accurate - of the password hasn't been changed since pre-domain functional level 2008, then it won't have AES Encryption keys. This means a vulnerable hash and, even worse, operational issues with recent upgrades disabling RC4.
makeitasadwarfer@reddit
Age matters when admins who knew the password have left the org years ago and still may know it or have it.
thortgot@reddit
In this case it's old enough that it's encryption isn't in the correct format. Age can and does matter.
TimePlankton3171@reddit
Good point
hardeningbrief@reddit (OP)
I agree.
The use case for gMSA is not that long passwords are vulnerable, but that a human is in the loop who might not generate a long password or not rotate them.
KavalierMLT@reddit
Why change the password when the service they offer is so crappy even Nigerian or Indian scammers will refuse to interact with them.
Cormacolinde@reddit
SCCM Network Access Account - this account is automatically copied into every client’s WMI. Accessible in clear-text by anyone with local admin privileges.
Password set in 2015.
Is member of the Domain Admins group.
How weird that I’ve seen that more than once?
cycle_dorkus@reddit
Learned today that you can set a scheduled task in MMC, at least in Server 2025! You need to use the search function from the object picker box and select from the list, but it works! Downside is that every time you update it, you need to find it in the search box again.
Wish MS would have invested a tiny bit more time into this in the 14 years gMSAs have been around.
BoysenberryDue3637@reddit
I started with a company and we did the same thing in auditing but all accounts. The niece of the owner, her account was setup when she was 16 and that was when her account was setup. The password was her dogs name. and the password was 6 characters. Her son was just turning 16 when we found this. That was an awakening for me.
hardeningbrief@reddit (OP)
For anyone interested how to set gMSA up and protect against kerberoasting
I wrote a full writeup on it recently:
https://www.thehardeningbrief.com/p/gmsa-service-accounts
VTi-R@reddit
I particularly enjoyed the account that was member of domain admins, enterprise admins and schema admins with the password last set in 2004. Found during a project in March this year.
And the last logon date was the same day I found it...
hardeningbrief@reddit (OP)
With password probably set to "Summer2004!"
DiligentPhotographer@reddit
I was more secure than that, I used MonthCity2004! lol
Og-Morrow@reddit
Password1
ncc74656m@reddit
I too am a person of taste!
patmorgan235@reddit
That think still had an RC4 hash didn't it...
Nexzus_@reddit
Yeah, a weak service account password (that had admin rights on one particular server and its dev) caught a former place of mine. Delivered via, IIRC, an infected email attachment. We only discovered it when installed a black-listed executable (ngrok). What followed was a 36 hour mad scramble to reset every service account password and detailed audit of every server.
hardeningbrief@reddit (OP)
gMSA might have saved you!
Hope everything got worked out in the end. Unfortunately things like this happen way to often.
TEM_advisor@reddit
Excellent point on service account governance — this type of blind spot is exactly what you find in audits of poorly tracked enterprise environments, and it often goes hand in hand with equally forgotten telecom and mobile assets (active SIMs with no user, orphaned licenses, equipment that hasn't been inventoried in years). At Saaswedo, we regularly see this pattern in our TEM audits: resources provisioned once, never reviewed, representing both a security risk and a ghost cost — on mytem360 for example, we automatically detect this type of dormant asset on the telecom/digital workplace side, which nicely complements an approach like yours on IAM. gMSA is clearly the right technical answer for service accounts, and coupling that with continuous visibility across all IT/telecom assets transforms a reactive posture into proactive governance. In your client audits, do you have a consolidated view of telecom assets and licenses alongside AD security, or are these silos still managed separately?
hardeningbrief@reddit (OP)
thank you!
appreciate it.
docNNST@reddit
One of my jobs the kbgrt hasn’t been rotated since 2006
hardeningbrief@reddit (OP)
krbtgt has a 120 char password by default, but if you are an interesting target, 20 years more than enough time!
docNNST@reddit
AD and forest functional level was 2003 until a few weeks ago.
Ok_Tap7102@reddit
When you say "as always" you found a kerberoastable account... Isn't that just finding an account with an SPN set?
Or are you saying you found SPNs with wordlisted, easily guessable passwords?
hardeningbrief@reddit (OP)
I would define a kerberoastable account as follows:
Wrote a full breakdown on this last week actually. RC4 and the msDS-SupportedEncryptionTypes fix.
Post is on my profile if useful
ncc74656m@reddit
My old environment when I took over this current place had a DA acct for basically everything that was set in 2012 as well. How did I know it was 2012? Oh, because the password was literally May2012 somethingorother. I think it was actually a whopping 9 characters, but don't quote me on that. 😣
There was an MSP before me running things, and that was their literal everything account. Basic local admin tasks through full upgrades of the badly configured 2016 DC. 😂
In any case, this is a brilliant writeup and a lot of great technical detail. Thanks so much for sharing!
hardeningbrief@reddit (OP)
Unfortunately, I see this way too often!
Thank you very much. Glad you enjoyed it. :)
ncc74656m@reddit
It's truly appalling, esp for an MSP, and triply so for those that work with very small businesses who aren't tech-forward. They are the ones who really need the collectivized knowledge and someone to say "This isn't right, and doing better is easy."
I get it, a lot of MSPs working with smaller clients run on tight staffing and thinner profit margins, but the OTHER part of that is that having more secure and better run clients also rapidly reduces your support overhead, AND makes them a happier customer. It amazes me that people get away with this though. There really need to be laws governing MSP due diligence and such.
Resident_Role_2815@reddit
You get what you pay for, and small businesses think IT is a waste of money. Sometimes you just take their money and let them make bad decisions. What a lot of internal IT people do not understand about IT is that you are not in any way a decision maker. You consult. You warn. You execute as directed.
thisladnevermad@reddit
have a tenant and the boss of that company hasnt change his PW since 2010. best Part is, i found his data in HaveIbeenpowned, changed it immediatley and wrote him an Email. Next morning he calls me furious and wants me to change it back. I wrote him an detailed Email of the risks and asked to confirm me that he is aware of the content from that mail. He did and i changed it back. He has again a pw wich contains the first letters of his name and his birthday. The company is also named after him. Im just waiting for the day...
_litz@reddit
At least they KNOW their password.
The fun part of DR testing is when your customer expects you to restore their data, and they have no idea what the encryption password is .....
jibbits61@reddit
I’ve seen service accounts with creds old enough to get a drivers license. SMH 🤦
zw9491@reddit
2012? That’s nothin