Deactivated User Accounts Die HardDeactivated User Accounts Die Hard
New research finds deleted Windows accounts stick around for up to 10 hours and are open to abuse.
May 7, 2014
Deleted, expired, and locked-out Windows user accounts actually stay alive -- and vulnerable to abuse -- for up to 10 hours after they’ve been disabled, leaving the door open for malicious insider and targeted attacks, according to new research.
The issue is based on design weaknesses in the Kerberos protocol, as well as weaknesses in how Windows handles user account revocation, says Idan Plotnik, CEO of Aorato, which published its findings today.
Kerberos -- the authentication method used in Windows and Active Directory -- provides single sign-on for a corporate network and uses an organizational "ticket" for subsequent user access. As such, disabling a fired or other end-user account doesn't stop that user from temporarily accessing data and applications in the network. And attackers targeting an organization could use those invisibly active credentials to hack further into the targeted network, according to the research.
"This exposes the corporation to attacks. And traditional security measures don't have proper visibility of those attacks," Plotnik says of most logging and SIEM products.
Backdoor malware can track changes to the Windows Active Directory by querying it, he says. "Malware can sit there for six months and then see that Kelly is not in Active Directory anymore. It can then trigger to start using [that user] account and access resources. Everyone has access to Active Directory, but no one pays attention to it."
Aorato, which sells a directory services application firewall, says there are ways to track any abuse of disabled Windows user accounts, such as tying the ticket with the user account; tracking any changes in the state of user accounts and its activities; and terminating any disable user account requests to access a network resource.
The full report from Aorato is available here.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
The Cyber Threat Impact of COVID-19 to Global Business
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report