Any system using impersonation has an inherent security issue: the accounts being impersonated can be used but also abused. When it comes to RunAs accounts in SCOM, that same risk exists – and even worse, these accounts usually need to perform system administration-like tasks, and that means they have considerable privileges.
These risks could be reduced by password policies – but who wants the hassle of maintaining these? Does it even help? (SANS doesn’t think so). And how do we circumvent the risks of losing monitoring data and alerts, because a password has expired? At the end of the day, most shops will have passwords that are stored somewhere – and the accounts are often set to “password never expires”.
To fix this, we would first need to monitor the RunAs accounts for password expiration. And we’re talking SCOM here…which has been known to be used for monitoring as well as for running tasks in response to a perceived threat, such as a password that will expire soon. We have the framework to address the challenges with changing a RunAs Account password…so let’s address them!