4 days ago
Semperis launches tool to secure AD service accounts
Semperis has introduced a new edition of its Directory Services Protector (DSP), known as Service Account Protection Essential, aimed at improving the security management of Active Directory and Entra ID service accounts.
Service accounts, which are non-human identities used by applications to interact with directory services, frequently pose security challenges due to unmanaged proliferation and a tendency to accrue excessive privileges over time. These characteristics make them susceptible to exploitation by cyber attackers.
Service Account Protection Essential is designed to provide organisations with an inventory of these accounts and facilitate ongoing monitoring for vulnerabilities based on intelligence from the Semperis research team. The tool can also discover previously unknown or misplaced service accounts, as well as detect stale and misconfigured ones. In addition, it identifies risky configurations, highlights critical exposures, and issues real-time alerts in response to malicious or anomalous activity.
Security concerns "Service accounts are pernicious and nearly ungovernable by nature, so organisations struggle to adequately address them in security planning. Think about how many applications are onboarded and retired over the course of an Active Directory's lifespan. Each one of these applications may have several service accounts that connect them to AD. Those service account permissions are a black box, with passwords that are static or stale, but no one dares delete them. They're an obvious target for attackers because of their ungovernable state," said Ran Harel, Semperis AVP of Security Products.
The focus on service accounts comes in the wake of high-profile supply chain attacks. Alex Weinert, Semperis Chief Product Officer, drew attention to previous incidents involving compromised service accounts to illustrate their ongoing risk to organisations. "Service accounts are very attractive to attackers. These accounts tend to proliferate in legacy AD applications and acquire excessive privileges over time, making them an obvious target for malicious actors, especially when service accounts are included in privileged cloud roles or groups tied to Microsoft 365. Service Account Protection Essential gives organisations unprecedented visibility into their service account security posture by helping them identify service accounts, create an inventory, and continuously monitor them to reduce the overall attack surface of the hybrid AD environment," said Weinert, former Microsoft VP of Identity Security.
Features and dashboard improvements
The updated DSP platform offers new capabilities designed to streamline work for security teams managing Active Directory and Entra ID object lists. Security practitioners can now categorise AD and Entra ID objects - including both privileged and service accounts - directly within the tool. This categorisation supports administrative tasks, enables swift policy changes, and helps automate responses to malicious modifications by reverting unauthorised changes as soon as they are detected.
The DSP dashboard itself has been enhanced to provide a detailed summary of recent changes within Active Directory, comprehensive records of attack detection events, overall system health indicators, and a risk scoring mechanism. This information is intended to facilitate quick responses to identity threats and help organisations convey the status of their identity security posture internally.
With the launch of Service Account Protection Essential, Semperis expands its capabilities for protecting hybrid and multi-cloud identity environments, which now include Active Directory, Entra ID, and other platforms. The new edition is positioned as a way for businesses to address pressing risks associated with unmanaged service accounts and reduce their exposure to identity-based attacks.
Follow us on:
Share on:
