Skip to main content

User Account Review | Roadmap to Securing Your Infrastructure

Posted on March 18, 2019 by RobertSalmansRobertSalmans

One of the topics you may not often think of as being all that important to security is user accounts on systems. We spend so much time on other things — like managing firewall rules, system patching, analyzing report data, etc. — that user accounts are often a neglected topic.

At a previous employer, I performed many security-focused audits for organizations needing to meet regulatory compliance. As part of these audits, I would review systems for best practice and general housekeeping. You can tell a lot about an administrator by the state of their environment. Too often I would find accounts that had not logged in for years or may have never logged in. Why do you need those accounts if they’re not being used?

Dangers of obsolete accounts

You might think, “So there are a few old user accounts hanging around — so what?” But here’s some food for thought: When you deploy a new group policy in Active Directory for password complexity or enable password requirements on Linux, that only affects newly created accounts or when an existing account’s password is changed. If an existing account already has a weak password, it will continue to have that weak password until it’s forced to be changed. So there’s a possibility those old accounts have been around a while and may have very weak passwords.

Something else to consider is that if those accounts aren’t being used, then the administrator probably isn’t familiar with them, and they may be part of a group that has access to sensitive data or escalated permissions. Therefore, if those accounts are compromised, there’s no telling what the attacker could access. The point I’m trying to make is we need to maintain a clean environment — and that includes reviewing user accounts for validity. (Great news – as I’m writing this, I’m also working on a CompTIA CySA+ certification course here at Linux Academy to be released soon!)

Identifying unused accounts

So, how can we go about doing this? It’s fairly simple. On a Linux host, simply run the lastlog command to get a list of the last login date of all users on a system. From this, you can identify any accounts not actively being used. In Windows Active Directory, it’s simply running a PowerShell command like the one below that searches for users that have not logged in within the last 30 days:

Get-ADUser -Filter {Enabled -eq $TRUE} -SearchBase ` 
$OU -Properties Name,SamAccountName,LastLogonDate | ` 
Where {($_.LastLogonDate -lt (Get-Date).AddDays(-30)) `
-and ($_.LastLogonDate -ne $NULL)} | Sort | `
Select Name,SamAccountName,LastLogonDate

It’s not hard to do and only takes a couple of minutes once a month. There are other user account-related topics we’ll cover in future posts, but this one is low-hanging fruit in the efforts to securing our infrastructure. I’m pretty excited about next week’s topic, so you’ll definitely want to stop back by to find out what I have in store!

Check out previous security topics that we’ve covered in this series:

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *