I recently had a task: Find an industry best practice that says you need to remove all rights or permissions or groups from the account of a former employee, rather than just disabling the account.
There was only one problem. I could find no such thing. None. Nothing. In fact, I expect this blog entry to rocket to the top of the Google search results for just such a thing, because no such guidance exists. The question is, will anyone else ever search for such a thing.
I was eventually able to get more clarification. The organization in question was getting in trouble from an auditor, who was finding disabled accounts that were in groups. For some reason, deleting the accounts wasn’t possible, so the auditor wanted the rights removed from the accounts.
Based on that clarification, I was able to give him the justification. The auditor clearly was using the strictest possible definition of the concept of least privilege: Give a user no more rights than necessary. A former employee has no need for the right to log on, or anything else, right? So, under the concept of least privilege, you can justify the practice of removing all rights from disabled accounts.
Here’s a real-world example of that: As part of the DISA STIGs, the U.S. government creates fake administrator accounts on their Windows computers with no rights, then disables the account. Then, if an attacker manages to re-enable the account, it still has no rights, so it’s not good for anything. What about the real built-in administrator account? Rename it to look like any other ordinary account. Pick a name and follow your normal organizational naming scheme. From a security standpoint, the more ordinary it looks, the better, though from an operational standpoint, people usually use the names of cartoon characters or famous people. But rjones is much harder to pick out of the crowd than psmurf or gwashington.
I can think of circumstances where an attacker in position to enable a disabled account would also be able to assign rights to that account, but at the very least, this practice makes the attacker do more work. Slowing down attackers is a good thing. It also causes auditable events, creating a paper trail, and making it more likely for the activity to be discovered. That’s an even better thing.
So, while I couldn’t find anything that explicitly said, “Thou shalt remove all permissions from suspended accounts,” it’s not a bad idea. And that’s why.
The counter-argument is that removing all rights makes re-enabling the account much harder. So if the suspension is only temporary–say, during a leave of absence or during an investigation–you may prefer to leave the rights intact, but disable the account. That way, when the employee returns, it’s a very fast operation to re-enable the account.
The question is whether the increased security is worth the extra trouble. What extra trouble? Open a ticket, document the current rights, dump the rights, then disable the account and close the ticket, and then, when the employee returns, open a new ticket, pull up the closed ticket, enable the account, put the rights back, then close the new ticket. But that’s a battle for the head of IT to fight with the head of security. Then again, that’s not something that should happen all that often. And you might do it for someone on maternity leave, who’s expected to be gone for weeks or even months, but not for someone on bereavement leave or on jury duty or taking a week’s vacation.
Under what circumstances you go that extra mile is something the decision-makers have to work out amongst themselves.
Now, why didn’t I find any of this in an industry best practice?
Best practice is to delete the account. An account can’t harm you if it no longer exists. You might disable the account for some set period of time, in case there’s something associated with the account that you end up needing, then delete the account. But if you go strictly by best practices, at some point you have to delete the account. There’s no way around it.
Now, if you’ll excuse me going all textbook for a minute, removing permissions from accounts you can’t delete isn’t so much a best practice as a compensating control. When you can’t do the right thing, you do one or more things to try to make up some of the difference.
The other lesson here is that sometimes you need more information. When I was told to find an industry best practice, I couldn’t find much, and I wasted several hours digging for something I wasn’t going to find. When I found out the reason for the question–deleting accounts wasn’t possible, and auditors were complaining about disabled accounts having rights–then it became an easy answer. Easy as in blurting out, without even thinking, “Oh, you’re dealing with someone who reads the concept of least privilege as strictly as humanly possible.” That was easier than remembering what I’m supposed to say when I answer the phone. Seriously.
In theory, an organization could run a script daily to move disabled accounts into a disabled OU that no one except domain administrators had access to. That way, rights or no rights, the accounts are worthless to a hacker.
I do know that deleting accounts from AD before removing them from some AD-dependent packages (like SharePoint) can create a mess, and when the same group of people doesn’t do both parts, it’s easier to disable the accounts and then wait a while before actually deleting them. In theory.