Generic privileged user accounts

1SNUser · ‎12-13-2023

In reviewing security of our ServiceNow privileged access accounts I found the following users and roles:

- 'System Administrator' with admin, user_admin roles

- 'HR Admin' with user_admin role

- 'UpdateSet Admin' with admin, user_admin, soap_update roles

- 'RestAPI' with import_scheduler role

- 'MID Server' with soap, soap_delete, soap_update roles

I was originally told these are interactive accounts used by ServiceNow Administrators and the password is not changed unless an administrator leaves the organization. I have now been told UpdateSet Admin, RESTAPI, and MID Server are out of box accounts, UpdateSet Admin and MID Server do not have passwords and REST API is an API local account that does have a password, but the password was set by the third party that implemented ServiceNow for our organization.

I do not have admin access to our ServiceNow instance, and the individuals that do have such access are not currently available. So, my questions are:

1) Does anyone know if these are out of box accounts and/or if they are interactive (i.e. can be logged in to)? If not, any suggestions on how this can be determined?

2) What security best practices recommendations can anyone share for these user accounts?

3) What risk exists in not periodically changing the password for these accounts if they can be logged in to (other than weak password controls make it easier for attackers to guess or crack passwords)? This may be a loaded question, but I'm trying to be prepared to agree or disagree if management indicates there is no risk with these accounts.

Ehab Pilloor · ‎12-20-2023

Hello,

Without admin access, it can be challenging to verify the nature of these accounts. However, typically, 'System Administrator,' 'Update Set Admin,' 'Rest API,' and 'MID Server' are standard ServiceNow accounts. To determine if they are interactive, you can check the 'Active' field on the User record. If 'Active' is unchecked, it indicates that the user cannot log in. Alternatively, you may check the 'Locked Out' field.

For security best practices:

Ensure the principle of least privilege, assigning only necessary roles to each account.
Regularly review and update roles based on changing requirements.
Monitor and log activities associated with these accounts for any anomalies.
If possible, enable multi-factor authentication for added security.

Not periodically changing passwords for interactive accounts poses a potential security risk. Even with strong password controls, routine password changes help mitigate the risk of unauthorized access, especially if credentials are compromised. It's a good practice to periodically review and update passwords, aligning with your organization's security policies.

Ehab Pilloor

1SNUser · ‎12-20-2023

Thank you Ehab! What I meant by 'interactive' is not whether the account is active or not, but whether the account can be logged into by an individual. For example, could a person 'hack' into the account and use it to conduct unauthorized activity?

Ehab Pilloor · ‎12-26-2023

Hi again,

Sorry for the late reply. Usually the ServiceNow production/training instances employed by the companies can be accessed after logging into the company portal. Most of the companies use Multi Factor Authentication for sign ins in order to minimise hacking or leaks. If company portal sign ins are compromised, the employees should contact the company's IT team to counter the leak. In order to hack a company's ServiceNow instance ID which is unlikely and use it to conduct unauthorized activity, hacker would need security_admin to do any real damage. All the company's admins are very cautious about their role and its unlikely that such an incident would occur.

Hope this answers your question. Please mark it as solution if you found this reply helpful.

Regards,

Ehab Pilloor