Inactive accounts or accounts that have never logged in to a machine are also known as “stale” user accounts. Stale accounts pose a security risk to organizations. Each one of these accounts offers a malicious actor an opportunity to gain access to resources. It is also not uncommon for these stale accounts to have the original default password set. When stale accounts are unknown to an organization or unmonitored, a malicious actor can compromise one and remain hidden to IT staff. Best practices and standards require that these accounts are removed or disabled within a set amount of time:
Think of it this way; imagine you run a kingdom in medieval times. Each account that is given out or created is a member of your kingdom that has keys to the city. A key (or account) could topple your entire kingdom, as other kingdoms or bandits (malicious actors) want to get into your kingdom to steal anything of value. The more keys (or accounts) you can remove from circulation, the more secure your kingdom is.
Microsoft published guidance around collecting lists of stale accounts. The two ways Microsoft recommends are using Dsquery and PowerShell. Third-party tools/utilities make this simpler and can automate other Active Directory (AD) functions.
Once a list of stale accounts is created, there are a few easy things that can be done to reduce the associated risk within your organization.
- Set a password expiry date via Group Policy Object (GPO) – If a user is created and forgotten about, the risk will be mitigated after a set amount of time.
- Disable user accounts after a set amount of time – A simple script can check the last login time of an AD user account, and disabling an account prevents any login with that account.
- Move disabled accounts to a unique “Disabled” Organizational Unit (OU) – Create a specialized OU that has a Group Policy that removes/blocks all accesses and privileges. Along with this, make sure that all group membership has been removed from disabled accounts.
- Delete inactive user accounts – Keep it simple – if it is not needed, delete it.
Many organizations struggle with stale user accounts because of missing policies or the absence of communication between HR and IT. It may be best to start addressing the issue from the top down. Bring in the relevant stakeholders and make sure the policy of decommissioning user accounts is up to date and understood by all groups. Review procedures with HR for communicating with IT when a user is terminated or when a user changes roles.
If you have any questions about managing inactive accounts or security risks in general, reach out to Sikich’s team of cybersecurity experts, and we’ll be happy to assist.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.