It is well known that Administrators should always create dedicated service accounts with appropriate access to be used by network applications on a Microsoft network. However there is always a case of a lazy administrator in the past who could not be bothered to create dedicated service accounts so they use the default domain admin account "Domain\Administrator" for applications and services to use. So what happens in the event when there are applications and services across the network using a default domain account, everyone including previous employees, current employees and end users know the password to this account and you don't know exactly applications are using the account? This article addresses exactly this situation.
The only way to identify all applications using an account for authentication is to revert to audit logs on domain controllers and identify the IP addresses in which the authentication attempts have been initiated from. Once you have the IP addresses as an administrator your able to dig down into the servers configuration and identify what applications are installed and figure out what is making the authentication attempts from the account. No application will be able to tell you exactly what program is performing the authentication request because all applications are different. For example some applications may store the domain administrator credentials in a text configuration file, others might store the credentials in some type of database table and others might simply store it in a service or scheduled task. No audit application understand the inter workings of every single application made, at best they can only look for where applications "usually" store credentials and return results based on that.
Another thing to note is each domain controller stores audit logs for authentication requests made against the individual DC. There is no place where you can look at all authentication requests against domain controllers on a domain wide level without using additional software. To gain inside into what authentication requests are being made on your network I recommend a product such as Snare Server. Snare is seen by many as the industry standard for capturing and filtering audit and event log data. Snare Server will pull audit logs from all domain controllers in your organisation and allow you to quickly identify exactly what servers in your organisation are using a specific account.
After ringing them for pricing, they are very cost effective compared to other audit collection tools on the market. Its priced based on geographical region, so you will need to contact them to get pricing for your country.
Check out the following video which goes through Snare Server in detail:
Discovery VBS Script
As mentioned above the only way to perform a thorough audit of what applications in your environment are using a specific account is to revert to audit logs. However below I will show you a handy VBS script which is able scan through all computer accounts in your domain and check if they are using an administrator account for a service or scheduled task. This script can be downloaded from the following location, just rename it to *.vbs.
This script requires you to modify two fields:
- The strSearchFor field is the account in which you want to find. For example, Administrator.
- The strExclude field are computers or locations within Active Directory in which you want to exclude. If you want to exclude nothing you can leave this field as ""
strExclude = "dx-iren,dx-iren2,OU=Computers"
When you run the script it will display output in a webpage. It pings each machine before performing the scan to ensure it is online so ensure ICMP is enabled on your windows firewall. This can be done with group policy.
Ensure you launch it using cscript from a command prompt running as Administrator "Run As Administrator" to get around User Account Control (UAC) restrictions.
The audit results get pushed out to a CSV file under C:\results.csv and can be opened in Excel.
Hope this post has been helpful and goodluck.