Windows service and scheduled tasks could pose a significant vulnerability. They are often configured with elevated permissions and stale passwords. This could lead to service outages and a possibility of credential abuse. The recent introduction of the multiplexed account feature in Centrify Privileged Access Service will help to manage the complexity and concerns of service and scheduled task management.This article will explain the steps that can be used to create a multiplexed account, create a Windows scheduled task and to set that multiplexed account to run that task.
The advantage of this type of setup is that the passwords for the multiplex sub-accounts will not need to be checked out or viewed by anyone.
Creating the Multiplexed Account1) To begin, create two user accounts in Active Directory, or have two accounts ready as the multiplexed account relies on two sub-accounts
2) Add the sub-accounts to the admin portal. Go to the admin portal > Resources > Domains > <Domain where the sub-accounts exist> > Accounts > Add
3) Add the two accounts that were recently created, for example, the accounts are named multiplex1 and multiplex2
4) Select one of the accounts and go to the settings menu, make sure that Manage this password is checked. Repeat for the other sub-account. Also make sure that periodic password rotation is enabled at the domain or global security settings level.5) In the admin portal, go to Resources > Accounts > Multiplexed Accounts and choose Add Multiplexed Account. Give this account a name and add the two sub-accounts. Please note that the accounts that are selected must have the appropriate permissions to run the target service or scheduled task.
More info on Multiplexed accounts:https://docs.centrify.com/Content/Infrastructure/resources-add/svr-mgr-apps-multiplex.htm
https://centrify.force.com/support/Article/Automate-Password-Rotation-for-Windows-Services-and-Scheduled-Tasks-26244Creating the Windows Scheduled Task1) Open the Windows Task Scheduler tool, right click the Task Scheduler Library and choose Create Basic Task. For this example we will create a task that will open the notepad application at a specific time of day.2) In the Wizard, give the task a name and an optional description:3) Continue on with the Wizard and fill in the details about the following:
4) Once all the preferred settings are in place, finish the wizard and the task should now show in the list of scheduled tasks:5) Double-click on this task and it will be seen that the account running the task is the account of the user who created the task. However, if you try using "change user or group" you will only get the option to specify one AD account, not the multiplexed account, so do not try to change to the multiplexed account here. That will be explained in the next few steps. However, you will first need to set the option to "Run whether user is logged in or not" and a password prompt will display. Please enter the password of the account that was used to setup the task:Adding the Task to the Admin PortalThe last phase of this project is to add this scheduled task to the admin portal. This can be done manually or through discovery. Doing this ensures that the multiplexed account can be chosen to run the task. Below are the steps:1) Go to Resources > Services and choose Add ServiceFill in the following details:
- When the task should start
- What action the task should perform
- If the task will start a program, specify the path to the executable for that program.
- Select the system where the task is running on (also make sure the system where the task was created is added as a resource in the admin portal)
- In the Service Type drop down, choose “Windows Scheduled Task”
- In the name field, specify the path to the task, notice that its \notepad. If you are not sure of how to find the path to the task, go back to the task properties in task scheduler and look for the location of the path.
2) Scroll down a little further and under Service Password Management, choose a domain administrative account and the multiplexed account. Also make sure to check “Enable management of this service password” so that it looks like the below image:
The options for Restart Service when password is rotated will not be available since those settings only apply if the multiplexed account is set to manage a Windows Service.
3) Once you are ready, click on Save and the following message should appear.
4) After choosing Yes go back to the task properties and it will be seen that the multiplexed account is now managing the task. It will show the active sub-account
Additional Item to Note:
In the above image, it is seen that the active account is multiplex2. If for some reason that you need to manually rotate the password for this account, you will get an error like the following:
If the password needs an immediate rotation due to security concerns, go back to the Admin portal > Resources > Services and find the service that the account is used for and choose Actions > Push Password Management. This will force the alternate sub-account to be the active account for the service and the multiplex2 account can now be rotated. Then repeat this process if the other account needs a manual rotation.