配置托管服務帳号

MSA 是一種 AD DS 對象類别，能夠簡化服務帳戶的密碼及 SPN 的管理。MSA 是從 Windows 7和 Windows Server 2008 R2 開始引入。

MSA 是儲存在 AD DS 中當成一種 msDS-ManagedServiceAccount 對象。這個類别 ( class ) 從計算機類别繼承架構概念，而從使用者類别繼承而來。這使得 MSA 能夠實作類似使用者的功能，例如：執行服務時可以提供驗證和安全性的内容，同時也讓 MSA 可以使用在 AD DS 中計算機對象所使用的密碼自動更新機制，這是一個不需要使用者互動的機制流程。

MSA 提供下列好處來簡化管理：

自動密碼管理。MSA 維護它自己的密碼，包含自動變更密碼機制。

簡化 SPN 管理。如果你配置你的域是在 Windows Server 2008 R2 域功能級别或更進階别時，則會

自動進行 SPN 管理。

Let’s try to get the password of the account under which SQL Server is run.

There is:

• Domain controller at Windows Server 2012 R2
• SQL Server Express 2012

During the SQL Server installation specify the existing domain account (the password length is less than 14 symbols) to run it.

Use the gsecdump utility to extract passwords.

Run PowerShell as administrator and run the command:

gsecdump-v2b5.exe -1

The result is:

What is Managed Service Accounts

The Managed Service Accounts (MSA) mechanism has been developed as the protection from such attacks in Windows Server 2008 R2.

Managed Service Accounts are managed accounts in a domain that provide automatic password management and simplified management of the participant service names including delegating control to other administrators.

Advantages of Managed Service Accounts

• An automatic password change. By default a password is changed every 30 days
• A complex password. A complex, automatically generated password consisting of 240 random symbols (the first half includes English letters, the second half — numerals and other symbols)
• No superfluous rights
• An opportunity to use one MSA on several servers (gMSA) in case when all service instances should use a single subject, e.g., for using in NLB
• SPN Management

Automatic update of the SPN after the renaming

• server account
• dnshostname property of the server account
• changing addition-aldnshostname property of the server account
• changing additionalsam-accountname property of the server account

Services that support MSA:

• IIS
• AD LDS
• SQL Server 2008 R2 SP1, 2012
• MS Exchange 2010, 2013

MSA Requirements

• Domain and forest level – Windows Server 2008 R2
• Windows Server 2008 R2, Windows 7 (Professional, Enterprise, Ultimate) and above
• .Net Framework 3.5x
• Active Directory administration module for PowerShell
• The installed patch KB2494158

If a forest and a domain don’t have the 2008 R2 (MSA) and 2012 (gMSA) levels, you have to increase the forest level using the command:

adprep /forestprep
      

And increase the domain level using the command:

adprep /domainprep
      

in each domain, in which you have to create and use managed service accounts.

How to Enable MSA in PowerShell

1. Run the cmdlet: 

   Import-Module ActiveDirectory

2. To create an MSA account, you have to run the cmdlet:

    New-ADServiceAccount serviceaccount -RestrictToSingleComputer

   where serviceaccount is the name of the MSA account

   The parameter RestrictToSingleComputer means that MSA will be linked only to a single server. You can go to Active Directory Users and Computers and make sure that MSA has been created (for the section Managed Service Accounts to appear, you have to enable Advanced Features in the View menu of the AD snap-in).

   

3. To link MSA to the server, run the cmdlet:

    Add-ADComputerServiceAccount -Identity server -ServiceAccount serviceaccount

   where server is the name of the server which is associated with MSA

   serviceaccount is the name of the MSA

   To check if the operation has succeeded, go to Active Directory Users and Computers, then move to the server properties and check msDS-HostServiceAccount attribute

   

4. Install the managed service account on the local computer

   You have to run the cmdlet:

   Install-ADServiceAccount -Identity serviceaccount

   where serviceaccount is the name of the MSA

5. Test the MSA (Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2)

   Run the cmdlet:

   Test-ADServiceAccount serviceaccount

   where serviceaccount is the name of the MSA

   It returns the value True or False

6. Set to run Windows service as MSA and restart the service.

   Don’t forget to put ‘$‘ at the end of the MSA name

   The field Password should be left empty.

   

Let’s check the service account password using the gsecdump utility

Group Managed Service Accounts in Windows Server 2012

In Windows Server 2012 there appeared Group Managed Service Accounts (gMSA). They allow to link a managed account not to a single server, but to several of them.

It can become necessary, for example, in Network Load Balancing or Windows cluster.

Requirements:

• Schema level – Windows Server 2012
• Windows Server 2012 (R2) domain controller running Microsoft Key Distribution Service
• Windows Server 2012, 2012 R2, 8, 8.1

How to Enable gMSA in PowerShell

1. Make sure that Microsoft Key Distribution Service is on “Microsoft Key Distribution Service uses a shared secret to generate account keys. These keys are changed from time to time. Along the other attributes of the Group Managed Service Accounts the Windows Server 2012 domain controller gets a password for a key provided by key distribution services. By addressing to the Windows Server 2012 domain controller Windows Server 2012 and Windows 8 hosts can get a current and a previous passwords.”

   Create a Root Key

   Root Key can be created with the cmdlet:

   Add-KdsRootKey

   To create a new Root Key, run the following cmdlet:

   Add-KdsRootKey -EffectiveImmediately

   In this case the key will be available in 10 hours, until replicated.

   You can also run a cmdlet:

   Add-KdsRootKey -EffectiveTime ((get-data).addhours(-10))

   Then the key will become available immediately (10 hours of work are saved)

2. Create gMSA

   New-ADServiceAccount serviceaccount -DNSHostName tst.test.com -PrincipalsAllowedToRetrieveManagedPasswork $test

   where serviceaccount is the name of the gMSA

   tst.test.com is the name of the server, on which a Root Key has been created

   $test is the name of the server that can address KDS to get dataYou can go to Active Directory Users and Computers and make sure that gMSA has been created (for the section Managed Service Accounts to appear, you have to enable Advanced Features in the View menu of the AD snap-in).

   

3. where serviceaccount is the name of the gMSA
4. Test the gMSA (Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2)

5. Set to run Windows service as gMSA and restart the service.

   Don’t forget to put ‘$’ at the end of the gMSA name

   

Let’s check the service account password using the gsecdump utility

MSA/gMSA can be uninstalled using the cmdlet Uninstall-ADServiceAccount

You can set MSA/gMSA parameters with the cmdlet Set-ADServiceAccount

Set the interval of password change:

Set-ADServiceAccount serviceaccount -ManagedPasswordIntervalInDays 60

60 is a period of time, after which the password will be changed

Set Kerberos encryption algorithms to be used by MSA

Variants: RC4, AES128, AES256

Set-ADServiceAccount serviceaccount -KerberosEncryptionType RC4,AES128,AES256

Set SPN @{Add=added SPN}

Set NetBIOS name of the service (SAMAccountName)

If it is not set, an ID Name is used

If it is set, the display name in AD will be from Name and the login ID will be from SAMAccountName

Set-ADServiceAccount serviceaccunt -SamAccountName test

MSA is great way to improve the network security.