ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What are the security risks associated with having stale computer accounts in our Active Directory environments?


Member

Posts: 10
Date: Jun 12, 2010
What are the security risks associated with having stale computer accounts in our Active Directory environments?
Permalink  
 


Hi Guys,

 

We have a situation where we believe we may have a few stale computer accounts in our Active Directory. These basically belong to employees who’ve been around for a while and are now on 3 - 6 month sabbaticals. (Basically, their user accounts are technically stale as well, in that they have not been used for equally long.)

 

We do however need to keep them for once these employees come back, it will be business as usual for them. In the meanwhile, should we be concerned about these computer accounts in any way?

 

While most of them are joined to the Active Directory, some are not, but they’re still on and connected as they function as local business team file servers. While we can update the domain joined machines, we can’t always automate updating the non-domain joined ones.

 

I’m new to the forum, and thought I’d share my question. I’m sure most of you would have come across such a situation, and it would be helpful to get your perspectives.

 

Thanks,

-Jimmy



__________________
iPad Rocks!


Member

Posts: 21
Date: Jun 23, 2012
RE: What are the security risks associated with having stale computer accounts in our Active Directory environments?
Permalink  
 


Hi Jimmy,

In general, if you have a need to keep stale accounts around, it is a good practice to at least disable them until the users come back from their sabbaticals, for that you, you reduce the risk of someone trying to compromise the accounts and then misusing them.

One other angle is that sometimes, when users are on leave, organizations require that not be able to access the system, and in these cases as well, it helps to disable these accounts. I suppose the same argument could apply to stale computer accounts as well. 

At our company, we have a policy to identify stale accounts, i.e. those inactive for 90 days, on a weekly basis, and then disable them.

It is also good practice to check that remain disabled, because you never know how many delegated admins might have the ability to enable them.

I would thus suggest enumerating stale domain user and computer accounts on at least a fortnightly basis, ensuring that they are disabled, and ensuring that only people who are able to enable them have rights to enable them.

Good luck to you with projects.

-G



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 10
Date: Jul 20, 2012
RE: What are the security risks associated with having stale computer accounts in our Active Directory environments?
Permalink  
 


Hi Geoffrey,

Thank you for taking the time to answer my question. Your inputs have been helpful and we are doing the needful to put in a place the right policies for stale accounts.

In order to enforce these policies, we however need some way to be able to audit the state of our accounts so that we can determine which ones may be stale, and which ones active.

Do you have any recommendations on an easy and efficient way to audit the state of our accounts?

Thanks,

Jimmy.



__________________
iPad Rocks!


Member

Posts: 21
Date: Jul 21, 2012
What are the security risks associated with having stale computer accounts in our Active Directory environments?
Permalink  
 


Jimmy,

There are many ways to audit the state of domain user accounts in AD, but the easiest and most efficient way I know of is via an Active Directory Security Audit Tool called Gold Finger for AD.

I say its easy and efficient because its got numerous customizable (using LDAP filters) domain account management reports, and to generate a report, I just select a report, point it to a domain/OU and click a buttton.

The tool's over at - www.paramountdefenses.com/goldfinger

-G



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me