Inactive accounts or accounts that have never logged in to a machine are also known as “stale” user accounts. Stale accounts pose a security risk to organizations. Each one of these accounts offers a malicious actor an opportunity to gain access to resources. It is also not uncommon for these stale accounts to have the original default password set. When stale accounts are unknown to an organization or unmonitored, a malicious actor can compromise one and remain hidden to IT staff. Best practices and standards require that these accounts are removed or disabled within a set amount of time:
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Rev. 4 – AC-2(3): The information system automatically disables inactive accounts after the organization-defined time period.
- Payment Card Industry Data Security Standard (PCI DSS), version 3.2.1 – Requirement 8.1.4: Remove/disable inactive user accounts within 90 days.
Think of it this way; imagine you run a kingdom in medieval times. Each account that is given out or created is a member of your kingdom that has keys to the city. A key (or account) could topple your entire kingdom, as other kingdoms or bandits (malicious actors) want to get into your kingdom to steal anything of value. The more keys (or accounts) you can remove from circulation, the more secure your kingdom is.
Microsoft published guidance around collecting lists of stale accounts. The two ways Microsoft recommends are using Dsquery and PowerShell. Third-party tools/utilities make this simpler and can automate other Active Directory (AD) functions.
Once a list of stale accounts is created, there are a few easy things that can be done to reduce the associated risk within your organization.
- Set a password expiry date via Group Policy Object (GPO) – If a user is created and forgotten about, the risk will be mitigated after a set amount of time.
- Disable user accounts after a set amount of time – A simple script can check the last login time of an AD user account, and disabling an account prevents any login with that account.
- Move disabled accounts to a unique “Disabled” Organizational Unit (OU) – Create a specialized OU that has a Group Policy that removes/blocks all accesses and privileges. Along with this, make sure that all group membership has been removed from disabled accounts.
- Delete inactive user accounts – Keep it simple – if it is not needed, delete it.
Many organizations struggle with stale user accounts because of missing policies or the absence of communication between HR and IT. It may be best to start addressing the issue from the top down. Bring in the relevant stakeholders and make sure the policy of decommissioning user accounts is up to date and understood by all groups. Review procedures with HR for communicating with IT when a user is terminated or when a user changes roles.
If you have any questions about managing inactive accounts or security risks in general, reach out to Sikich’s team of cybersecurity experts, and we’ll be happy to assist.