Link to home
Start Free TrialLog in
Avatar of spinoza156
spinoza156

asked on

How can I determine what accounts are logging in as a service

Hi.

We recently had an incident whereby a system was compromised. The SQL service on the system was running under our domain administrator account credentials. We are not sure if that account has it's password leaked but we want to be proactive and change the password.

The domain administrator account is used across many different servers in our organization for this purpose. If we change the password we will obviously cause all those services to fail their authentication.

My question is: Is there a tool that I can use that can scan a server or multiple servers to let me know exactly what accounts are used by services to authenticate?

Needless to say we will be using another account going forward.

Thanks!
Avatar of becraig
becraig
Flag of United States of America image

Here is a quick script that you can feed server names into:

It will give you a list of services that are running under domain credentials.

$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
gwmi win32_service -computername $_| where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { $serviceinfo +=  "$server, $_.Name, $_.StartName"  }
}
$serviceinfo | Select * | Export-Csv c:\service-reports.csv -NoTypeInformation

Open in new window

Avatar of spinoza156
spinoza156

ASKER

Thanks becraig. My script knowledge is very limited. Is this a vbs script? Could you please provide an example of how you would run this with a server named 'foo'?
This is a powershell script.

Steps:
1. save the code snippet as a file possibly "script.ps1"
2. Open a powershell window Run - powershell -
3. Navigate to the path where you saved the script.ps1
4. Save a text file copy of your list of servers "serverlist.txt" in the same location
5. run the script by entering ./script.ps1
Ok. Thank you for the detail. I got the script to run, it created the file but it's empty. I created the serverlist.txt with the FQDN of one of my servers on the first line.
$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
write-host "Processing Server ..." -fore yellow
gwmi win32_service -computername $server | where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { $serviceinfo +=  "$server, $_.Name, $_.StartName"  }
}
$serviceinfo | Select * | Export-Csv c:\service-reports.csv -NoTypeInformation

Open in new window



Made a quick update to a bad pipe.
Thanks. I get the Processing Server... but still the same result.
I tried using the hostname of my local machine and it came back with attached.User generated image
$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
write-host "Processing Server ..." -fore yellow
gwmi win32_service -computername $server | where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { 
$sname = $_.Name; $sacct = $_.StartName
$serviceinfo +=  "$server, $sname, $sacct"  
}
}

$serviceinfo | out-file c:\service-reports.csv 

Open in new window

This is the result.User generated image
ASKER CERTIFIED SOLUTION
Avatar of becraig
becraig
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You are right.

I have to run it locally on the server though to get it to work.
Thanks!