The Dangers of Dormant Accounts
By Enterprise IT Planet Staff
December 2, 2005
Workers come and go.
Sometimes a shift in their career trajectories cause a split. Some, unfortunately, just don't make the cut. Or worse, their behavior was not in keeping with the company's business practices.
An ex-worker's chair sits empty. Why is the user account still hanging around?
At this point, HR prepares to close an employee's file and wrap up its obligations. IT is alerted and the pertinent accounts are locked out. A full deletion rarely occurs at this stage since there are usually some loose strings to take care of.
All that's left is packing up some personal items, hopefully without security escorting a worker out the door.
So an account becomes inactive. But those loose strings and the reasons for keeping those old accounts around fade as the day's business takes priority. Absent of any policies to deal with these accounts, they just sit around consuming a few resources here and there but not really causing any real harm.
Not so fast.
IT personnel are put in positions of implicit trust. As such, they can resurrect those accounts and unwittingly (or purposely) put your data at risk. Outgoing admins are a big concern, especially if they left under less than amicable circumstances.
This week we explore how an "out of sight, out of mind" attitude towards dormant accounts can cause trouble long after ex-employees were sent packing with their red Swinglines in tow.
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
ghostmachine wonders aloud...
Auditors mostly recommend removing dormant accounts that have not logged in for many months. Can I ask the experts here; if these accounts are disabled and dormant at the same time, any ways to use them to break anything? I ask this because if there is no risk, then we could leave these disabled and dormant accounts as they are. Right?
rapier57 brings up a troubling possibility.
Your security policy should cover accounts for people who are no longer at your organization. Dormant accounts are accounts that are no longer used. HR should be telling you when folks leave so you can disable the account. Once that happens, the clock should start ticking on when the account actually gets deleted.
I don't think that leaving the accounts on the system is a high security threat, but it is tempting for someone to re-activate an old account and use it for doing bad things. Say, Jimmy-Joe left six months ago, but NastyAdmin decided to skim some cash off the AP checks. So NastyAdmin reactivates Jimmy-Joe's old account, skims the money and then disables the account again. Looks like Jimmy-Joe gets blamed for the bad behavior. The account is still on the system.
Aspman believes in limits.
Your company should really have a policy in place to remove these accounts or at least audit their use.
We have a procedure for removing accounts when someone leaves the company. The account is locked within Active Directory and after 3 months is deleted. The 3 months is to allow any of the remaining staff to request access to the information held in the account.
Different procedures need to be in place when dealing with IT Admin staff that is leaving, especially when being dismissed.
How do you manage dormant accounts? Tell us here.