30 Days of IT Compliance Q&A #8: Who Is Using Service Accounts?

This is a question that you may hear during a typical compliance audit. This question applies to many types of IT audits: PCI DSS, HIPAA, SOX, ISO, FERC, NERC, and more.

Why the auditor is asking this question: Auditors want to know if users are using their own accounts or if multiple users are sharing a single account. If someone does something in your network, they want an easy way to determine who performed that activity.

How to answer this question:

In order to be compliant, you must show that your users are not using shared credentials or service accounts. What can you do to detect unauthorized use of service account credentials?

Understanding your scenario:

You need to understand the entire service that your business relies upon.In this case lets call it a web ordering system. It is a three tiered system compromise of a Web Server, Application Server and Database server. All of these servers are connected to switches, firewalls and routers.How quickly do you want to know if someone uses a service account to log into your web ordering system?This means that if you only review logs once a day it could be 24 hours after the incident when you determine if a violation occurred.

Things that you need to answer to be successful:

1. Document your environment:
   1. How are your physical and virtual servers connected to switches, routers, and firewalls?
   2. Create a topology map showing the physical and logical map of your business service?
   3. What are the IP addresses for your web, application and database servers?
   4. What credentials should be used from what specific servers/devices and applications?
   5. Who are your administrators and what are there user names?
   6. What computers do you expect to see your administrators using?
   7. What subnet are your administrators on?
2. Enable logging on all of your servers and devices you wish to monitor or understand. The more information that is logged the better you will understand your environment.
   1. Web Server Logs
   2. Server Logs (operating system)
   3. Firewall Logs (level 6 logging)
   4. Switch Logs (level 6 logging)
   5. Router Logs (level 6 logging)
   6. Application Logs
   7. Database Audit logs
   8. Active Directory and other Authentication Logs
3. Configure the server / devices time to synchronize to a centralized time source (NTP).This will greatly help with trying to piece things together for investigation purposes.

A common method for achiving this is to document all changes on a spreadsheet. However, this is a cumbersome and unreliable method which requires the following steps:

1. Physically go to each piece of equipment and see what switch and port are connected and write it down.
2. Log into each server and see how each services have been configure and document what account is being used.
3. Log into each server and see what IP addresses are assigned to each server.
4. Draw a logical and physical topology map.
5. Talk to each administrator and ask what is his or her user name.
6. Ask you administrator what subnet they are on.
7. Ask each administrator what is the name of their computer they use and what is their IP address.If they are using DHCP for IP addresses you will need to constantly check and see what IP address was assigned to them.
8. Physically verify that NTP has been configured on all servers and network devices. Without having time synchronized on all devices it is had to piece event together.It makes is cumbersome and unreliable to manually put a timeline together.
9. Physically verify that logging has been enabled on all servers, applications and databases. Network devices usually do not store logs locally so you will need to install and configure a central log management server to store your logs. If you are not logging information how can you tell if something happened?
10. A log review is necessary in order to understand normal and abnormal activity. Manually reviewing logs can be cumbersome and overwhelming. Most of the time tools are necessary in order to deal with the volume of information that has to be reviewed.

• Manually review all of your logs to determine if a successful login you’re your service account name occurred from any other IP address that was not where you expected it.
• Review those irregularities and determine the source IP address of the violation.
• Log at the DHCP server and determine what computer was using that IP address at the time.
• Review all logins in the environment and determine what other accounts logged into the source of the violation.
• Review the Active Directory Server to determine the name of the user from the account information.
• Repeat log process to meet the frequency that you would want to be notified if a violation occurred.

A better way to do this:

AccelOps can discovery your applications, server, network devices and infrastructure.This allows for relationships to be understood.What applications are running on what servers or devices? Layer-2 and Layer-3 Topology maps. Automatic classification of devices types.AccelOps automatically understands and processes logs.AccelOps ships with over 1600 System reports and rules that have been created to help in understanding your organization and alert when issues arise. Below are the steps necessary in order to monitor service account activity within AccelOps.

Steps:

1. Make sure your network devices have logging enabled at level 6 and that they are forwarding their logs to AccelOps.
2. Add credentials to communicate to your Network Devices, VMware, Web, Application and Database servers.
3. Discovery your environment (discovered in seconds to minutes)
4. Create a business service of your web ordering system.
   • Topology map automatically gets created showing logical and physical maps.
   • All underlying devices automatically get added to the business services by understanding the layer-2 and layer-3 information.
5. Create a group in your Active Directory (AD) Server called Service Accounts.
6. Add all service account into the newly created AD group.
7. Create Rule that states if you see an account that is located in the Service Account Group that did not source from one of my Web Ordering system servers alert me.
   • This would alert you immediately when this violation occurs.This will reduce your exposure if the violation occurred from a Hacker or malicious employee.
8. When a violation occurs right click on the source IP address and click on Quick Information.
   • Quick information will give you all of the Identity and location information around a particular attribute. In this case what use names are associated with this IP address.
   • Then click on the user name in question and request quick information.All Active Directory information about that account will be revealed (Full Name, Title, Email Address, Telephone Numbers, Group Memberships).
9. Real-time or Historic searches can be performed on any or all members of the Web Ordering system by just selecting that group from the AccelOps CMDB.

Want to discuss how AccelOps can make your I.T. operations and compliance easier? Contact AccelOps to learn more.