Skip to main content

Automating Security - Elevating Your Digital Defense with Smart Password Management

· 2 min read
Tyler Engelhardt
Tyler Engelhardt
Founder of Mainely Innovations

Service Account Overview

In the realm of Production system maintenance and risk reduction, service password management stands as a critical yet traditionally manual process. Regulatory requirements, like NERC, often mandate password rotation, while cyber policies seek to fortify the digital environment. For complex systems like AVEVA PI Server or SCADA integrations, the manual effort involved in logging into servers, coordinating downtime, and ensuring system stability post-rotation can be an all-day event. Enter automation tools, streamlining coordination and minimizing the code required for these processes.

Case Study

Imagine a large utility operating a PI System with over 10 million PI Points, spread across 700 locations, and spanning multiple networks and domains. The need to rotate service account credentials in over 120 servers manually for IIS-based applications, Windows Tasks, and Windows Services would be an arduous task. This manual execution demands meticulous effort and coordination to achieve a 100% completion rate for password rotation and prevent account lockouts.

Our solution? Leveraging Ansible, we developed a dynamic and efficient process that gracefully executed actions across each business segment. Using Ansible, we created reusable components for software installation, upgrade, and password rotation. This approach allowed us to:

  • Stop services
  • Change passwords in Active Directory using BeyondTrust
  • Rotate passwords for each service, IIS application pool, or task, and
  • Restart services in the appropriate order.

The impact was substantial. This automated process seamlessly rotated service account passwords on dozens of servers within a matter of minutes, eliminating the need to log into a single server manually. The utilization of this process translated to significant time savings for the team by reducing the effort required in preparing each server and service account, not to mention streamlining the actual rotation process.

gMSA Alternative

While Group Managed Service Accounts (gMSA) present an alternative and preferred approach, managing passwords automatically through negotiation with Active Directory, there are situations where company policies or network architectures prohibit their use. In such cases, developing a robust, automated process becomes crucial for minimizing errors and downtime.

Conclusion

Integrating automation with configuration management tools, like Ansible, emerges as a game-changer in password rotation efforts. Through effective utilization of source control, CI/CD pipelines, scheduling, and approvals, automation not only reduces downtime but also enhances the overall reliability of the password management process. Elevate your digital defense by embracing automation for a smarter, more efficient security approach.