Simplify Windows Services Management in Three Easy StepsA Technical Overview

Service Account Manager

- 2 -

Contents

Windows Services Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Limitations of Built-In Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Starting and Stopping Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Changing Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Service Logon Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Need for Frequent Login Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Service Maintenance Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Three Steps to Automating Your Services Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 . Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 . Mass Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 . Reliable Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About Service Account Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Free Trial Offer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Simplify Windows Services Management in Three Easy Steps

- 3 -

Windows Services ChallengesA service is an application that runs on a host computer to support programs such as email, databases, backup, and many others . Each service may be configured to run as a specific user account depending on the resources it must access, and many service accounts have elevated privileges compared to normal user accounts in your organization .

Since service are granted elevated access to your organization’s sensitive data, in most organi-zations IT staff are required to frequently update service passwords as they would any highly privileged login – or face failed IT compliance audits and an increased risk of a security breach .

Nearly all Windows applications depend on services, so when a service fails it can significantly disrupt business . For this reason, troubleshooting service failures, recovering failed services, and quickly identifying and correcting the root causes can be one of the most mission critical tasks that an IT administrator need to perform .

Limitations of Built-In Management ToolsOn most Windows computers, services are managed primarily through the Services Microsoft Management Console (MMC) snap-in (Figure 1, right) . The snap-in provides information about the service name, display name, description and file path but does not allow you to change them .

Figure 1 –Services Microsoft Management Console (MMC) Snap-In

The snap-in does allow you to view and change certain properties, one service at a time, on individual machines (Figure 2 below) . These properties include:

• Startuptype

• Statusandstartparameters

• Logonaccount

• Recoveryoptionsandanydependencies

Figure 2 – Viewing and Changing Properties in the Services Snap-In

Service Account Manager

- 4 -

The design of each service determines what actions you can take using the snap-in . For example, for most services the Pause and Resume buttons are disabled by the developer .

Starting and Stopping Services

It is common for Windows administrators to start and stop services when performing routine duties and emergency repairs . However, because of the many service interdependencies present on each machine it can be difficult to accomplish this task quickly and without undesired outcomes .

The basic management tools found in the snap-in can prevent you from stopping an individual service when other services depend on it, nor can you start a service if its prerequisite services aren’t yet running . Because the snap-in provides only very basic features to manage dependent services, it can be nearly impossible to manage complex interdependencies without the use of third-party software .

Not all third-party utilities can correctly account for complex interdependencies much of the time . The result can be higher IT staff workloads and unexpected disruptions in critical business applications should changes lead to service failures .

Changing Service Accounts

The service account logon information displayed in the snap-in (Figure 3 below) is applied only when the service starts . In other words, when you change logon properties in the snap-in the service continues to use the old properties until it is stopped and started .

Figure 3 – Service Logon Information in the Snap-In

Because any manual logon changes that you configure in the snap-in don’t by themselves stop and restart the services – and because stopping and restarting a target service and any inter-dependencies can be a complex task – third party tools to automate the process can provide considerable benefits in saved time and reduced likelihood of service disruptions .

Simplify Windows Services Management in Three Easy Steps

- 5 -

Service Logon Challenges

Every Window computer stores the account credentials for services in an encrypted area of the Registry so that it can assign appropriate rights when the services start . The computer must validate each service credential (other than the Local System account) using a SAM database on the local machine or a domain controller, so whenever you change a domain administrator account that is used by services on a machine you must also reconfigure those services to use the new credentials . Since Windows provides no automated tools to accomplish this task your choices are to make the changes manually, one computer at a time; to develop a script to make the necessary changes; or to rely on a third party utility .

Further complicating the logon change process is the inability of domain controllers to instantly replicate account changes . If you change a service account login on any machine before the computer can authenticate the change with the domain controller the service will fail to start . And, should your organization have security policies that lock out administrator accounts after several failed login attempts, those services that attempt to login with credentials that are not yet known to the domain controller could trigger cascading failures across your network .

Need for Frequent Login Changes

Good security practices – and regulatory mandates like PCI-DSS, CAG-12, SOX, HIPAA and many others – require you to change domain service account logins at least every 90 days . This can create a tremendous challenge to find and change every service account that uses a domain login – stopping and starting dependent services in the proper order to enact the change without disrupting other services .

And, whenever Windows services are configured as part of Clustered Services, the updating of service properties, changing service credentials, and stopping and starting of the services must be done with special regard for the configuration to prevent service disruption and data corruption .

Service Maintenance AlternativesBesides the frequent updates needed to maintain network security, Windows administrators are often required to change Windows services configurations because:

• Software updates and security fixes that require immediate deployment of a new service executable might need to be installed and configured on numerous computers simultaneously;

• Unnecessary and obsolete services that could be consuming resources, impacting system performance, creating conflicts, and causing security vulnerabilities on many computers may need to be disabled or removed;

• Improperlydesignedserviceswithmemory leaks might need to be stopped and restarted on a regular basis, and so on .

Service Account Manager

- 6 -

Without automation any of these tasks can be almost impossible to accomplish, since:

• Theuseofscriptsandotherad-hocprocessesincreasethechancesofmissing individual machines that could be offline, inaccessible, or improperly accounted for;

• Errors in scripts and manual processes could lead to unintended changes that could be difficult to document, track down and correct;

• Manualandad-hocmethodsoftenfail to account for complex service interdependencies, clustered services, domain controller propagation delays, and other edge conditions that can lead to service disruptions if improperly handled;

• Agentsthatrunasservicescansbedifficult to configure with the necessary computer rights and reliably deploy on large numbers of systems .

To put it another way, imagine that your manual process to access one server, select a service to be updated, enter and document the changed password, stop and the service and any dependencies could be accomplished on average in three minutes . In a datacenter with 400 servers, this means that a manual password change job for one service on each server would take 2 ½ eight-hour shifts for an individual to complete . Multiply this by the many services to be managed in a typical datacenter and it’s no wonder that organizations make it a priority to automate service management tasks .

Three Steps to Automating Your Services MaintenanceThe right services management solution can save considerable staff time and eliminate disruptions if it can reliably discover all services properties on large numbers of machines – and manage and deploy the changes that you configure . The three key steps in the process are as follows .

1. Discovery

As your network grows and changes the ability of your services management solution to thoroughly discover the properties and behaviors of all Windows services becomes more and more criti-cal . The basic requirements for any effective solution are to:

• Remotelylocate and assess service properties across all Windows computers, dynamically updating system lists so that changes on your network are identified without additional operator intervention,

Problems Associated with Windows Service Management

Simplify Windows Services Management in Three Easy Steps

- 7 -

• Identifyandaccount for all service account interdependencies so that you can make changes with the assurance that they won’t trigger services failures, and

• ByintegratingwiththeWindowsClusteredServicesmanagementlayer,identifyany services present in Clustered Services – and, identify any custom resource types so that Clustered Services from third-party or internal developers are properly managed – helping you avoid data corruption and service disruptions that would otherwise occur .

2. Mass Management

The ability to configure your desired services changes en masse – and to reliably handle and report errors and edge conditions – sets a good mass management solution apart . Look for software that can:

• Allowyoutodeploychangesthatyouconfigureacross any number of Windows computers,

• Giveyouaconsolidated view of every service running on all of your machines,

• Automaticallyaccountforthecomplex web of service dependencies on large numbers of computers to reduce your workload whenever it’s necessary to stop and restart services, and

• Easily deploy changes to privileged services logon credentials and document your actions to reduce the time needed for you to comply with your organization’s security policies and any industry mandates, and

• Providedetailed reporting of service status and change records for all of your machines .

3. Reliable Changes

The ability to reliably enact the changes that you configure is critical for any Windows services management software . Before choosing a solution, perform a thorough evaluation on your network to ensure that the software can:

• Accountforservice interdependencies on every machine – fully enumerating the list to account for all levels of dependency – and then correctly stop all requisite services, update dependency lists, and restart all services in the reverse order so that the changes you configure are deployed promptly and without disruption .

• Giveyouawaytoschedule services configuration changes and deployment of new services – during maintenance windows, when selected machines are online, and so on – and to create recurring tasks so, for example, you can restart trouble-prone services on a schedule of your choosing .

• Provideautomated failover so that offline and inaccessible systems are re-queued and retried until changes are completed – and any automated services restarts, scheduled reboots, or other actions that you allow are completed reliably .

• GiveyouaneasywaytoconfigureLogon Cache for computers at remote locations, portable systems, and other devices that may be disconnected from the network at a time when it may be necessary to authenticate Windows services .

Service Account Manager

- 8 -

About Service Account ManagerService Account Manager, the Windows services management solution from Lieberman Software, can remotely access, analyze, and modify Windows service properties on all managed systems in your enterprise . It provides a consolidated view of every service running on every system, granting administrators the ability to quickly update service credentials and run dynamic dependency analysis on multiple machines from one console, without resorting to manual processes .

Benefits of Service Account Manager include increased availability, security, and performance of mission-critical Windows servers . Service Account Manager also helps organizations maintain regulatory compliance standards by frequently changing administrator passwords referenced by services .

Free Trial Offer

To download a no-obligation, 30-day trial of Service Account Manager visit us online at http://www .liebsoft .com/Service_Account_Manager_Download/ .

Service Account Manager is compatible with all 32 and 64 bit versions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2; along with Windows XP Professional, Windows Vista Business or higher, and Windows 7 Professional or higher .

www.liebsoft.com | P 800.829.6263 (USA/Canada) P (01) 310.550.8575 (Worldwide) F (01) 310.550.1152 1900 Avenue of the Stars, Suite 425, Los Angeles, CA 90067© 2012 Lieberman Software Corporation. Trademarks are the property of their respective owners.