I can remember the old days when administrators used to run their Exchange 5.5 services with domain accounts. This usually required setting the password to some really complex value along with setting the passwords to never expire. All was good in the world until the day that the administrators were forced to change the password.
With Windows 2003 came the Network Service account which was really an alias account that mapped to the domain computer account for the server. This helped things since the computer account was configured to automatically change the password in the background every so many days. Granting permissions to the domain computer account provided the ability to delegate permissions to any services that needed access to remote resources.
With Windows 2008 there is another progression in the service account landscape. That development is called Managed Service Accounts.
Here is a brief explanation from the TechNet site:
Two new types of accounts available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account—are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Managed service accounts in Windows Server 2008 R2 and Windows 7 are managed domain accounts that provide the following features to simplify service administration:
- Automatic password management.
- Simplified SPN management, including delegation of management to other administrators.
Virtual accounts in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that provide the following features to simplify service administration:
- No password management is required.
- The ability to access the network with a computer identity in a domain environment.
This is a big leap forward in providing the ability to segregate your services and allowing separated access rights for services residing on the same server. I wonder how long before the general public finds out about this new feature and actually uses this functionality.
On a side note, Managed Service Accounts are really another example of how Microsoft appears to be fulfilling their promise to design software with security in mind.
Fri, Jan 22, 2010
Technology