What are Group Managed Service Accounts (gMSA)?

What are Group Managed Service Accounts (gMSA)?

High Level Overview of GMSAs

Group Managed Service Accounts Overview

Group Managed Service Accounts (gMSA) were introduced in Windows Server 2016 and can be leveraged on Windows Server 2012 and above. gMSAs offer a more secure way to run automated tasks, services, and applications. How are gMSAs more secure you ask? Well, their passwords are completely handled by Windows. gMSA passwords are randomly generated, automatically rotated, and not required to be known by any user. The service accounts themselves are ‘installed’ on the server that is to be querying the password information from Active Directory at run time. This means that an end-user does not need to worry about updating the password in an application at the time of rotation. Unlike normal user accounts being used as service accounts, which in my experience seem to always have password ages of 10 or so years, these will not be susceptible to brute force attacks or bad password policies and hygiene.

Group Managed Service Account Security

The usage of gMSAs involves a computer account in Active Directory (the one where the gMSA is installed) being able to query the password information when the account is to be leveraged. The gMSAs are a specific object type in Active Directory, msDS-GroupManagedServiceAccount. These objects have special attributes associated with them related to their password and its rotation. The most important one being the msDS-ManagedPassword attribute. This attribute contains a BLOB with the current password information for the account. Similar to LAPS, you’ll want to ensure this attribute, and others are locked down to only the Active Directory objects that need access to it. I’ll cover all of the attributes and potential threats and attacks associated with gMSAs in a future post.

What’s Next?

Fortunately, in the next release of StealthAUDIT, due out later this year (2020), we’ll allow for the usage of gMSAs for both connection profiles and scheduled service accounts. I’ll be writing another blog on more in-depth issues and concerns related to gMSAs in the coming weeks, as well as how some of our tools can help assist with the detection and prevention of these threats.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other