contact@securehero.com
Facebook
Twitter
Google+
LinkedIn
YouTube
  • PRODUCTS
    • FILE SYSTEM AUDITOR
    • GROUP REPORTER
    • LOGON REPORTER
    • PERMISSION REPORTER
  • PRICING
  • SUPPORT
  • BLOG
  • ABOUT US
  • CONTACT

Active Directory User and Group Reporting: Disabled User Accounts

July 28, 2015blogwp_admin

According to most recent critical security controls from SANS “any account that is dormant must be disabled and eventually removed from the system”. 

When employees leave the company or contractor accounts are not longer used it is certainly a wise decision to terminate their access. Most companies do not rush removing accounts of terminated users though. Instead they prefer to disable these accounts and leave them in this “sanitization” state for some time that usually varies from 30 to 90 days. Indeed, when accounts are disabled you can still preserve and analyze audit trails which might come in handy for forensics investigation of past user activity.

Keeping disabled accounts comes with liability. According to SANS “Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers“. That is why it is paramount to keep a close eye on disabled user accounts. In particular, when reviewing a list of currently disabled user accounts you might also want to check the following for each disabled user account:

  1. When was the last time the account successfully logged on to the Active Directory managed network?
  2. When was the last failed attempt to logon due to bad password?

So, let’s see how we can use familiar PowerShell tools to show this information. At first, this command might seem what we are looking for:

Search-ADAccount -AccountDisabled

According to its description it returns a list of disabled accounts. There are two gotchas here. First, it does not differentiate by account type. So, you will get computer accounts as well. Second, it does not let you specify other attributes you want to see for disabled accounts.

Luckily, just like in the previous example with locked out user accounts we can use the Get-ADUser cmdlet to address these shortcomings:

Get-ADUser -Filter *  -Properties SamAccountName, LastBadPasswordAttempt, LastLogonDate, Enabled| Where{$_.Enabled-eq $false} | Select-Object SamAccountName,LastBadPasswordAttempt,LastLogonDate

This command will return a full list of disabled user accounts and a pair of attributes that will effectively tell you when was the last time somebody attempted to use those accounts.

But what if you want to know what exactly these accounts were used for in case they got compromised? Unfortunately, this information is not easy to obtain without appropriate auditing tools in place. If you want to have this kind of insurance in place you might want to take a look at Logon Reporter and File System Auditor that will audit and report on access of all users in Active Directory.

It goes without saying that performing this review on a regular basis is the least you can do to safeguard your network from insider attacks and improve overall security posture.

 

<< Active Directory User and Group Reporting: A practical guide for administrators

 

 

Previous post Active Directory User and Group Reporting: Locked Out User Accounts Next post Active Directory User and Group Reporting: Users that have not logged on in the last X days

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
  • New product: Group Reporter!
  • Active Directory User and Group Reporting: Users with old passwords

Archives

  • October 2016
  • May 2016
  • November 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • October 2014
  • September 2014
  • July 2014
Facebook
Twitter
Google+
LinkedIn
YouTube

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
home

Orange, CA 92866, US

mail

contact@securehero.com

PricingSupportPrivacy Policy
© 2017 SecureHero LLC