According to most recent critical security controls from SANS “any account that is dormant must be disabled and eventually removed from the system”.
When employees leave the company or contractor accounts are not longer used it is certainly a wise decision to terminate their access. Most companies do not rush removing accounts of terminated users though. Instead they prefer to disable these accounts and leave them in this “sanitization” state for some time that usually varies from 30 to 90 days. Indeed, when accounts are disabled you can still preserve and analyze audit trails which might come in handy for forensics investigation of past user activity.
Keeping disabled accounts comes with liability. According to SANS “Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers“. That is why it is paramount to keep a close eye on disabled user accounts. In particular, when reviewing a list of currently disabled user accounts you might also want to check the following for each disabled user account:
- When was the last time the account successfully logged on to the Active Directory managed network?
- When was the last failed attempt to logon due to bad password?
So, let’s see how we can use familiar PowerShell tools to show this information. At first, this command might seem what we are looking for:
Search-ADAccount -AccountDisabled
According to its description it returns a list of disabled accounts. There are two gotchas here. First, it does not differentiate by account type. So, you will get computer accounts as well. Second, it does not let you specify other attributes you want to see for disabled accounts.
Luckily, just like in the previous example with locked out user accounts we can use the Get-ADUser cmdlet to address these shortcomings:
Get-ADUser -Filter * -Properties SamAccountName, LastBadPasswordAttempt, LastLogonDate, Enabled| Where{$_.Enabled-eq $false} | Select-Object SamAccountName,LastBadPasswordAttempt,LastLogonDate
This command will return a full list of disabled user accounts and a pair of attributes that will effectively tell you when was the last time somebody attempted to use those accounts.
But what if you want to know what exactly these accounts were used for in case they got compromised? Unfortunately, this information is not easy to obtain without appropriate auditing tools in place. If you want to have this kind of insurance in place you might want to take a look at Logon Reporter and File System Auditor that will audit and report on access of all users in Active Directory.
It goes without saying that performing this review on a regular basis is the least you can do to safeguard your network from insider attacks and improve overall security posture.
<< Active Directory User and Group Reporting: A practical guide for administrators