Concept

CyberQP's QGuard Product is designed to help MSPs automatically rotate passwords to enhance account security. Passwords rotated by CyberQP will automatically update in the secure password vault or a documentation tool like IT Glue or Hudu.  

When Services or Tasks are ran using an Active Directory or Local account, CyberQP can rotate those passwords as well.  After the rotation of the password is completed, CyberQP will also update the Service or Task with the new password.

However, sometimes it can be difficult to track down all of the Services and Tasks that are in use across the systems within your Customer's environment.  The manual process of checking the Services console, sorting by Account name, and recording the Services names to determine which accounts are in use can be tedious.

This article will detail how to use the supplied PowerShell scripts to scan the Domain Controllers and Domain Joined servers to determine the Services that are running with specific account names.

Prerequisites

• QGuard Product in Subscription.
• Active Directory Domain
• Administrator level access to a Domain Controller
• Ability for the Domain Controller used to scan the Services and Tasks on other Domain Joined Servers
• Administrator level access to a Local System

Process

Preparation

1. Download the supplied PowerShell scripts for Services and/or Tasks
   
   Tasks Discovery PowerShell Script
   
   Services Discovery PowerShell Script
   
   
   1. Modify the Script line 9 ($checkPath=) to point to a Path that the Administrator account you will be using has access to, and save the edit.  If the Folder does not already exist, it will be created.
2. Copy the updated script to a Domain Controller of your choice for this task.

Implementation

1. Open PowerShell or PowerShell ISE as Administrator
   1. You will want to execute these PowerShell commands from the folder that you copied the script to.  Ensure that, if you have restrictive PowerShell Execution Policies, you allow these scripts to run within the current session. You can use this PowerShell command to do so:
      
      

      Set-ExecutionPolicy Bypass

       

2. Run the script

What the Script Does

Running the script will

1. Launch the ActiveDirectory PowerShell Module
2. Get all Domain Joined SERVER OS machine names from all OUs in the AD environment.
3. For each Server OS found, the script will
   1. Scan for all Services or Tasks on the system (depending on the Script you are executing)
   2. Limit the results to JUST those that are NOT run with the default/built-in or "NULL" accounts.
   3. Export the results of servers that responded, to a CSV file in the path you initially modified. This CSV will include the server name, service or task name, and the associated account.
      

      Services	Tasks
      Path\ServiceReachableServers.csv	Path\TaskReachableServers.csv

   4. Export any server that did not respond to a CSV file in path you modified originally listing the name of the Server
      

      Services	Tasks
      Path\ServiceUnReachableServers.csv	Path\TaskUnReachableServers.csv

Using a PowerShell Script to Discover Service or Task Accounts on "Stand Alone" Systems or Systems that did not respond when scanned.

1. Download the supplied PowerShell scripts for Services and/or Tasks
   Local Services
   Local Tasks
   
   
   1. Modify the Script line 6 ($checkPath=) to point to a Path that the Administrator account you will be using has access to, and save the edit.  If the Folder does not already exist, it will be created.
2. Copy your updated script to a System that you want to check for Services or Tasks for rotation.
3. Open PowerShell or PowerShell ISE as Administrator
   1. You will want to execute these PowerShell commands from the folder that you copied the script to.  Ensure that, if you have PowerShell Execution Policies set to a restrictive setting, you allow these scripts within the Session to be ran.  You can use this PowerShell command to do so:
      
      

      Set-ExecutionPolicy Bypass

       

4. Run the script
5. Repeat the process for any other system for which you need to collect this data.

These scripts perform the same functions as the Domain Scripts supplied above, except they are only for the Local System you have executed them on.

How to Manually Discover Service or Task Accounts on "Stand Alone" Systems or Systems that did not respond when scanned.

1. Log onto the system in question with an Administrative Account.
2. Services
   1. Open the Services Console (services.msc)
      
   2. Ensure that the "Log On As" Column is visible. (It is shown by default)
      1. If the Column is not visible, select the View -> Add/Remove Columns from the Menu and add the Log On As to the Visible section
         
   3. Click the header column for Log on As to sort these alphabetically (you might have to click 2 times to get reverse sort order)
      1. Network Service, Local System accounts are built into the system and do not require rotation (this is done by the system token being updated by Active Directory or the Local System passwords)
      2. Accounts listed with a Domain Account or Local Account are the ones you are looking for.
   4. Record the System name and Account name used to run a service.
      
   5. Import and Match to the Integration, the accounts using the process described in this KB
      https://support.getquickpass.com/hc/en-us/articles/360052090173-How-to-Setup-Scheduled-Password-Rotation-of-Service-Accounts-with-External-Password-Vault 
      
      
3. Tasks
   1. Open the Task Scheduler Console
   2. Browse to the Task Scheduler Library
      
   3. Manually Select any visible tasks and Double Click or Right Click and Select Properties
      1. On the General Tab look at the Security Options for the "When running the Task, use the following user account:
         
      2. You are looking for any Task that is not using System, 
4. Make sure the Quickpass Agent is installed on the server to enable rotation and detection of Services or Tasks.
   
   NOTE: The Tasks management console does NOT show if the account used is an Active Directory or Local Account.  You will have to do some additional investigation to determine if the account listed in the CSV file is a Local Account or Active Directory.

What you should do with the information in the CSV files.

The data that is exported from the PowerShell script will allow you to be aware of Services or Tasks and the associated accounts.  If you determine that these accounts should be rotated, please review this KB:
https://support.getquickpass.com/hc/en-us/articles/360052090173-How-to-Setup-Scheduled-Password-Rotation-of-Service-Accounts-with-External-Password-Vault

1. Active Directory Accounts used to run Services or Tasks

   1. Ensure the Quickpass Agent is installed on the Domain Controllers AND the Servers that have Services or Tasks that you have determined will require rotation.
   2. You will want to manually import these Active Directory Account(s) from the Active Directory Domain.
      1. If the account(s) have already been imported into the Administrator Accounts Screen, you can simply delete the account from that screen and re-import them to the Service Accounts screen.  (NOTE: Deleting this account will only remove it from the CyberQP portal. By selecting Delete, this will NOT delete this account from Active Directory, Azure Active Directory or the Local Machine.)
   3. Once the account(s) are imported and matched to the integration, as per the KB above, a password that is rotated will update the Active Directory environment and then scan any other Domain Joined server to check the Services and Tasks list for that account.  If there is a Service or Task that is using that account (as per the Discovery you ran above) it will be updated on the Server as well.
      
      

2. Local Accounts used to run Services or Tasks

   1. Ensure the Quickpass Agent is installed on the Server that is using a local account to run the Service or Tasks that you have determined will require rotation.
   2. You will want to manually import the Local Account(s) from that Server.
      1. If the account(s) have already been imported into the Administrator Accounts Screen, you can simply delete the account from that screen and re-import them to the Service Accounts screen.  (NOTE: Deleting this account will only remove it from the CyberQP portal. By selecting Delete, this will NOT delete this account from Active Directory, Azure Active Directory or the Local Machine.)
   3. Once the account(s) are imported and matched to the Integration, as per the KB above, a password that is rotated will update the Local Account password and then scan the individual server to check the Services and Tasks lists for that account.  If there is a Service or Task that is using that account (as per the Discovery you ran above) it will be updated on the Server as well.

Quickpass MSA Account

The Quickpass MSA Account may be shown on the list of Service Accounts, for Domain Controllers, when you run this discovery process.  This will occur if the MSA=1 is used during a scripted installation, or Manual Selection of the Custom Managed Service Account option (during a GUI install), are selected during the installation of the Quickpass Agent.  These accounts do not need to be rotated and cannot be selected for import to the Quickpass Dashboard. They are already rotated on a regular basis by the KDC service on the Domain.  For more information please see the Microsoft KB for additional details.

https://learn.microsoft.com/en-us/azure/active-directory/architecture/service-accounts-group-managed#benefits-of-gmsas 

Conclusion

After importing and matching the accounts, you can decide whether you want to automate password rotation., or manually update the password when you determine it should be changed.  (https://support.getquickpass.com/hc/en-us/articles/360052090173-How-to-Setup-Scheduled-Password-Rotation-of-Service-Accounts-with-External-Password-Vault )