December 1st, 2005, 12:48 AM
auditors mostly recommends to administrators to remove dormant accounts that have not logged in for many months. Can i ask the experts here, if these accounts are disabled and dormant at the same time, any ways to use them to break anything? I ask this because if there is no way to break, then we could leave these disabled & dormant accounts as they are. Right?
another qns, If these accounts are configured to be locked after say, 5 tries unsuccessful, and someone tries to break in using an account and gets the account gets locked out, can he/she try other means? what are some other means then? If not, configuring "lock outs" in security policies is a good way to deter brute force right ?
thanks for any advice.
December 1st, 2005, 12:59 AM
If they try getting into an account that has a lockout policy on it, then once they get locked out they can no longer attempt to access anything useing that account until an administrator re-instates it.
If you have dormant accounts disabled then they cannot break in with that account.
Other ways they could break in are really to many to list..Just depends on what OS your running. They could do HTTP server hacks, Try other active accounts, many other vulnerabilities for different OS's.
Just make sure your box is patched with the latest updates.
December 1st, 2005, 01:20 AM
Your security policy should cover accounts for people who are no longer at your organization. Dormant accounts are accounts that are no longer used. HR should be telling you when folks leave so you can disable the account. Once that happens, the clock should start ticking on when the account actually gets deleted.
I don't think that leaving the accounts on the system is a high security threat, but it is tempting for someone to re-activate an old account and use it for doing bad things. Say, Jimmy-Joe left six months ago, but NastyAdmin decided to skim some cash off the AP checks. So NastyAdmin reactivates Jimmy-Joe's old account, skims the money, then disables the account again. Looks like Jimmy-Joe gets blamed for the bad behavior. The account is still on the system.
Just my tuppence.
December 1st, 2005, 10:22 AM
Someone getting access to a dormant or disabled account is usually fairly low risk as they would have to first find a means of re-enable the account or obtaining the password but...
If an admin (or anyone for that matter) did happen to reset the password or re-enable the account then they could go ahead and use that account for as long as they like without anyone knowing (because there is no normal user that will scream if their password has been reset) - malicious admins could do alot of worse stuff ofcourse - or just create new accounts
The other potential risk is through social engineering, lets say that bob, who used to sit next to me just left, now I know this (and so do many others) so I ring the help desk and say, Hi I am Bob I sit at Workstation X - I have forgotten my password can you please reset it for me?
Now we all hope that our help desks would not do this but in reality alot would, I can now basically take on Bobs identity, create havoc, send pron to the CEO, get access to Bobs Highly confidential data and no-one will know it is me because I am logged on as Bob.
The other one is Bob may have written his password down and put it under his keyboard, he forgot to throw it out when he left I have found it and I can take on Bobs ID.
This risk is not just confined to potentially malicious internal users but also if company employees have logins to external systems external people will also know Bob has left (example is outlook webmail or other internet enabled systems).
As I said, In my opinion the risks of disabled and dormant accounts is pretty low, and hopefully you will have other controls in place around your help desk etc but there is a risk there, particularly around social engineering.
Auditors can be a real pain, trust me I was one, in my opinion it is not hard to remove these accounts and if it keeps the auditors happy for a while it is probably worth it!!
December 1st, 2005, 11:27 AM
Your company should really have a policy in place to remove these accounts or at least audit their use.
We have a procedure for removing accounts when someone leaves the company. The account is locked within Active Directory and after 3 months is deleted. The 3 months is to allow any of the remaining staff to request access to the information held in the account.
Different procedures need to be in place when dealing with IT Admin staff who are leaving and especially when being dismissed.
We also have alias accounts for units/departments things like 'accounts@'. We monitor those for use and if they don't seem to be getting used we go to the party that requested it and see if they still need it and remove it if they don't. That's slightly different though in that it's an active but dormant account.