By: Paul Facey, Managed Services/Advanced IT Technician
It’s that time of year where many of us are working on building new habits, getting organized, and starting the New Year off on the right foot. If you are looking to clear out clutter in the new year, we urge you to look beyond what is filling up your cabinet spaces. Clutter in your network could cause you some serious vulnerabilities, especially when it comes to expired user and PC accounts.
So, what are the risks associated with not disabling or removing expired accounts? Let’s first dig into the basics:
What is considered an “account”?
An account is generally a paired set of information (usually an ID and password) that is used to control access to something. For our purposes, it gains access to data in an organization. Most users are aware of user accounts. What users may not be aware of is that not only do users have accounts, but the PCs they are working on have additional accounts as well (this is especially true in an Active Directory Environment). When a computer is functioning in an Active Directory environment it is constantly verifying itself to domain controllers (servers) just like users do to ensure it has permission to access data and resources.
Why is this important?
Account maintenance is an often-overlooked part of organizational health and maintenance that can lead to data breaches. If a user leaves an organization, or a system has retired the accounts for that user, the system should be disabled or deleted as well. If those accounts are left active, that is an easy opportunity for an attacker to try and compromise those accounts and gain access to company data. Attackers can have “all the time in the world” to try and compromise these accounts as they are no longer in use and can go unnoticed for extended periods of time.
How do we prevent or limit this?
- Physical account management when a user departs or a system is replaced. The account should either be disabled or deleted at this time. For users it is recommended they be disabled and moved to an isolated “no-permissions group” for a period of time, then deleted once it is confirmed the account no longer contains any useful data.
- To protect the organization, the administrators or IT team should be conducting periodic audits of all accounts (user and system accounts) to identify old or stale (not frequently used) accounts to determine if they should be disabled or deleted.
- Account policies should be deployed that enforce password age, account lockout, and other security features. This ensures that even if an account is forgotten, it can no longer be accessed after a set amount of time. This way, if an attacker is attempting to compromise an account they will be locked out after a set number of attempts. This is a recommended practice for active accounts as well.
Account management is only one piece in the overall goal of protecting your organization and data, but a vital one. Each organization should define its needs and security goals, then implement the action steps whenever possible. The Networks Plus Team is standing by to assist your organization in evaluating and implementing these measures, and to help make your organization and data as safe and protected as possible.
Want to read more on this topic? Paul recommends you check out this article from InfoSecurity Magazine.