MSA 是一种 AD DS 对象类别,能够简化服务帐户的密码及 SPN 的管理。MSA 是从 Windows 7和 Windows Server 2008 R2 开始引入。

MSA 是储存在 AD DS 中当成一种 msDS-ManagedServiceAccount 对象。这个类别 ( class ) 从计算机类别继承架构概念,而从用户类别继承而来。这使得 MSA 能够实现类似用户的功能,例如:执行服务时可以提供验证和安全性的内容,同时也让 MSA 可以使用在 AD DS 中计算机对象所使用的密码自动更新机制,这是一个不需要用户互动的机制流程。

MSA 提供下列好处来简化管理:

自动密码管理。MSA 维护它自己的密码,包含自动变更密码机制。

简化 SPN 管理。如果你配置你的域是在 Windows Server 2008 R2 域功能级别或更高级别时,则会

自动进行 SPN 管理。

Let’s try to get the password of the account under which SQL Server is run.

There is:

  • Domain controller at Windows Server 2012 R2

  • SQL Server Express 2012

During the SQL Server installation specify the existing domain account (the password length is less than 14 symbols) to run it.

Use the gsecdump utility to extract passwords.
Run PowerShell as administrator and run the command:

gsecdump-v2b5.exe -1

The result is:

What is Managed Service Accounts

The Managed Service Accounts (MSA) mechanism has been developed as the protection from such attacks in Windows Server 2008 R2.

Managed Service Accounts are managed accounts in a domain that provide automatic password management and simplified management of the participant service names including delegating control to other administrators.
Advantages of Managed Service Accounts

  • An automatic password change. By default a password is changed every 30 days

  • A complex password. A complex, automatically generated password consisting of 240 random symbols (the first half includes English letters, the second half — numerals and other symbols)

  • No superfluous rights

  • An opportunity to use one MSA on several servers (gMSA) in case when all service instances should use a single subject, e.g., for using in NLB

  • SPN Management

Automatic update of the SPN after the renaming

  • server account

  • dnshostname property of the server account

  • changing addition-aldnshostname property of the server account

  • changing additionalsam-accountname property of the server account

Services that support MSA:

  • IIS

  • AD LDS

  • SQL Server 2008 R2 SP1, 2012

  • MS Exchange 2010, 2013

MSA Requirements

  • Domain and forest level – Windows Server 2008 R2

  • Windows Server 2008 R2, Windows 7 (Professional, Enterprise, Ultimate) and above

  • Active Directory administration module for PowerShell

  • The installed patch KB2494158

If a forest and a domain don’t have the 2008 R2 (MSA) and 2012 (gMSA) levels, you have to increase the forest level using the command:

adprep /forestprep

And increase the domain level using the command:

adprep /domainprep

in each domain, in which you have to create and use managed service accounts.

How to Enable MSA in PowerShell

  1. Run the cmdlet: 

    Import-Module ActiveDirectory

  2. To create an MSA account, you have to run the cmdlet:

     New-ADServiceAccount serviceaccount -RestrictToSingleComputer

    where serviceaccount is the name of the MSA account

    The parameter RestrictToSingleComputer means that MSA will be linked only to a single server. You can go to Active Directory Users and Computers and make sure that MSA has been created (for the section Managed Service Accounts to appear, you have to enable Advanced Features in the View menu of the AD snap-in).

  3. To link MSA to the server, run the cmdlet:

     Add-ADComputerServiceAccount -Identity server -ServiceAccount serviceaccount

    where server is the name of the server which is associated with MSA

    serviceaccount is the name of the MSA
    To check if the operation has succeeded, go to Active Directory Users and Computers, then move to the server properties and check msDS-HostServiceAccount attribute

  4. Install the managed service account on the local computer

    You have to run the cmdlet:

    Install-ADServiceAccount -Identity serviceaccount

    where serviceaccount is the name of the MSA

  5. Test the MSA (Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2)

    Run the cmdlet:

    Test-ADServiceAccount serviceaccount

    where serviceaccount is the name of the MSA

    It returns the value True or False

  6. Set to run Windows service as MSA and restart the service.

    Don’t forget to put ‘$‘ at the end of the MSA name
    The field Password should be left empty.

Let’s check the service account password using the gsecdump utility

Group Managed Service Accounts in Windows Server 2012

In Windows Server 2012 there appeared Group Managed Service Accounts (gMSA). They allow to link a managed account not to a single server, but to several of them.

It can become necessary, for example, in Network Load Balancing or Windows cluster.

Requirements:

  • Schema level – Windows Server 2012

  • Windows Server 2012 (R2) domain controller running Microsoft Key Distribution Service

  • Windows Server 2012, 2012 R2, 8, 8.1

  • Active Directory administration module for PowerShell

How to Enable gMSA in PowerShell

  1. Make sure that Microsoft Key Distribution Service is on “Microsoft Key Distribution Service uses a shared secret to generate account keys. These keys are changed from time to time. Along the other attributes of the Group Managed Service Accounts the Windows Server 2012 domain controller gets a password for a key provided by key distribution services. By addressing to the Windows Server 2012 domain controller Windows Server 2012 and Windows 8 hosts can get a current and a previous passwords.”

    Create a Root Key

    Root Key can be created with the cmdlet:

    Add-KdsRootKey

    To create a new Root Key, run the following cmdlet:

    Add-KdsRootKey -EffectiveImmediately

    In this case the key will be available in 10 hours, until replicated.

    You can also run a cmdlet:

    Add-KdsRootKey -EffectiveTime ((get-data).addhours(-10))

    Then the key will become available immediately (10 hours of work are saved)

  2. Create gMSA

    Run the cmdlet:

    New-ADServiceAccount serviceaccount -DNSHostName tst.test.com -PrincipalsAllowedToRetrieveManagedPasswork $test

    where serviceaccount is the name of the gMSA

    tst.test.com is the name of the server, on which a Root Key has been created
    $test is the name of the server that can address KDS to get dataYou can go to Active Directory Users and Computers and make sure that gMSA has been created (for the section Managed Service Accounts to appear, you have to enable Advanced Features in the View menu of the AD snap-in).

  3. Install the managed service account on the local computer

    You have to run the cmdlet:

    Install-ADServiceAccount -Identity serviceaccount

    where serviceaccount is the name of the gMSA

  4. Test the gMSA (Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2)

    Run the cmdlet:

    Test-ADServiceAccount serviceaccount

    where serviceaccount is the name of the gMSA

    It returns the value True or False

  5. Set to run Windows service as gMSA and restart the service.

    Don’t forget to put ‘$’ at the end of the gMSA name
    The field Password should be left empty.

Let’s check the service account password using the gsecdump utility

MSA/gMSA can be uninstalled using the cmdlet Uninstall-ADServiceAccount

You can set MSA/gMSA parameters with the cmdlet Set-ADServiceAccount

Set the interval of password change:

Set-ADServiceAccount serviceaccount -ManagedPasswordIntervalInDays 60

where serviceaccount is the name of the gMSA

60 is a period of time, after which the password will be changed
Set Kerberos encryption algorithms to be used by MSA
Variants: RC4, AES128, AES256

Set-ADServiceAccount serviceaccount -KerberosEncryptionType RC4,AES128,AES256

Set SPN @{Add=added SPN}

Set NetBIOS name of the service (SAMAccountName)

If it is not set, an ID Name is used

If it is set, the display name in AD will be from Name and the login ID will be from SAMAccountName

Set-ADServiceAccount serviceaccunt -SamAccountName test

MSA is great way to improve the network security.

转自:http://woshub.com/active-directory-managed-service-accounts/