If you want IT efficiency and have a sizeable team, you are probably using Microsoft Active Directory. In fact, as of Dec. 2020, 95% of Fortune 5000 said they rely on Active Directory for authentication of users. However, if not managed properly, this essential part of your infrastructure can become a serious risk. The fact is, access management and, more specifically, Active Directory management is a challenge for nearly every organization today. The reason for this is that IT departments exist to ensure your business operates effectively and efficiently, and they are measured on how well they maximize technology to help users accomplish their work. This often leads to decisions being made solely for convenience sake rather than security. In the end, though, this can be counter-productive, because nothing slows operations down like a successful cyber attack. To maintain efficient operations over the long haul, IT departments must balance quick and easy access with properly securing systems and information to satisfy business needs.
User lists are inherently in a constant state of flux.
In an organization of any size, users are added, and some leave. Consider how many teams grow, are reorganized, or are merged with other business units in a given fiscal year. User information can amass quickly, and without consistent management it can become outdated after a period of time. If you do not properly manage and cleanup your Active Directory, over time the number of objects will grow to a point where it is unmanageable, and your organization may be left vulnerable to cyberattacks as a result. It is not uncommon to read about unauthorized access from a former employee who still had credentials, but more common is the scenario where a cyber attacker compromises credentials to navigate business systems, and no one ever knows until it’s too late. Without proper management, you can’t know who is coming and going, or which access activities should flag an alert and investigation.
How many of your users are inactive?
According to Microsoft’s documentation around active versus inactive accounts, when their researchers reviewed data on users’ last logon timestamps, as well as the last time passwords were changed, they found that on average, over 10 percent of all user accounts in any given organization are no longer active. This is a serious issue, as any or all of these inactive accounts could be exposed to hackers through any number of methods commonly used to acquire or compromise credentials. Further, they may also still be available to former employees, posing another significant security risk. From an attacker’s perspective, it can be simple to identify personnel that have recently departed an organization by using social media sites like LinkedIn.
Recommendations from Industry Standards
Regulations such as PCI-DSS and HIPAA require organizations to limit the access to certain information in order to create a minimum level of security. In addition to these, the National Institute of Standards and Technology (NIST) has published numerous guidelines on how to properly protect information systems. Among these guidelines there is specific attention given to access controls. These recommendations typically include the review of access needs for all accounts at specified time intervals, either annually or more frequently. Active Directory and additional access environment reviews should cover former employees, temporary employees, contractors, and vendors. Consistent reviews help ensure that access privileges are properly configured upon hiring, regularly reviewed during employment, and effectively removed with termination. In addition to NIST, several private regulatory bodies, such as the Payment Card Industry (PCI), have published their own sets of requirements for organizations to control the access of employees and authorized third parties.
PCI DSS Requirement 8.1.4 reads, “Remove/disable inactive user accounts within 90 days.” With a testing procedure of checking that each inactive account that is over 90 days old is either removed or disabled. It also offers the following guidance, “Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data.” (PCI DSS)
What actions can you take?
While the NIST recommendation for personnel who no longer work for an organization is to delete these unused accounts altogether, there are other options that IT departments can utilize to both protect the organization, and also provide convenience if a former employee or contractor is re-hired to do additional work.
One key step you can take to combat these issues is to disable inactive user accounts, rather than deleting them. By disabling inactive accounts, organizations can be certain that individuals who are no longer employed by the organization will not have unauthorized access to sensitive materials.
Accounts should also be disabled when employees go on extended leave. Once the employee returns to work, their account can be reenabled and will already have the necessary access permissions for the employee to continue working.
If you would like to speak with an expert about assessing your current risks, or how to tame your Active Directory, simply request a consultation with one of our TRUE experts.
- Microsoft provides guidance on how to easily identify inactive accounts in Active Directory (Microsoft TechNet)
- NIST 800-53 AC-2 provides guidance on account management and recommends the disabling of inactive accounts after a period of time
- Best practices for Active Directory management
- Security Best Practices for Active Directory