Account Management
Introduction
Safeguard 5 - Account Management
Account management includes keeping track of accounts, appropriately granting permissions, and separating administrator accounts from everyday user accounts. Good account management is organized and centralized.
Procedures
5.1 - Establish and Maintain an Inventory of Accounts
An account inventory keeps track of all accounts, from standard users to administrators.
- Create a list of all accounts.
- Include whether or not the account is an administrator.
- Include the account owner’s name, username, start/stop dates, and department.
- Validate that all accounts are authorized quarterly, or more often.
5.2 - Use Unique Passwords
Building a strong password is one of the first and most important steps in ensuring no one but yourself and those you authorize can access your system.
When creating and managing passwords, follow these rules to effectively balance convenience and security:
- Avoid using short, simple passwords. Instead, use:
- At least 3-4 words (or a minimum of 12 random characters)
- Capital letters
- Special characters (e.g.
#,@!$%^&*()
) - Numbers
- Don’t reuse passwords. Reusing passwords could give a hacker access to multiple accounts.
- Use a strong password manager. It can be dangerous to write your passwords down if you use your computer in a public area such as an office, and keeping your passwords in something like a text document can also easily be stolen. Using a password manager can be a strong way to protect your passwords.
To view Virginia Tech’s password requirements and password examples, see the Changes to Password Requirements article published by the Division of IT. Following these password complexity rules for other personal endpoint accounts will ensure the best balance between safety and ease of use.
5.3 - Disable Dormant Accounts
Accounts that haven’t been used in a while should be disabled in the event they are breached. Dormant accounts that are left with access can be exploited in the future. Dormant accounts should be disabled or removed after 45 days, at a minimum.
Windows Active Directory
The following is a PowerShell script by Tim Clevenger that can be used to disable dormant accounts:
# disableUsers.ps1
# Set msDS-LogonTimeSyncInterval (days) to a sane number. By
# default lastLogonDate only replicates between DCs every 9-14
# days unless this attribute is set to a shorter interval.
# Also, make sure to create the EventLog source before running, or
# comment out the Write-EventLog lines if no event logging is
# needed. Only needed once on each machine running this script.
# New-EventLog -LogName Application -Source "DisableUsers.ps1"
# Remove "-WhatIf"s before putting into production.
Import-Module ActiveDirectory
$inactiveDays = 45
$neverLoggedInDays = 45
$disableDaysInactive=(Get-Date).AddDays(-($inactiveDays))
$disableDaysNeverLoggedIn=(Get-Date).AddDays(-($neverLoggedInDays))
# Identify and disable users who have not logged in in x days
$disableUsers1 = Get-ADUser -SearchBase "OU=Users,OU=Demo Accounts,DC=lab,DC=clev,DC=work" -Filter {Enabled -eq $TRUE} -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object {($_.lastLogonDate -lt $disableDaysInactive) -and ($_.lastLogonDate -ne $NULL)}
$disableUsers1 | ForEach-Object {
Disable-ADAccount $_ -WhatIf
Write-EventLog -Source "DisableUsers.ps1" -EventId 9090 -LogName Application -Message "Attempted to disable user $_ because the last login was more than $inactiveDays ago."
}
# Identify and disable users who were created x days ago and never logged in.
$disableUsers2 = Get-ADUser -SearchBase "OU=Users,OU=Demo Accounts,DC=lab,DC=clev,DC=work" -Filter {Enabled -eq $TRUE} -Properties lastLogonDate, whenCreated, distinguishedName | Where-Object {($_.whenCreated -lt $disableDaysNeverLoggedIn) -and (-not ($_.lastLogonDate -ne $NULL))}
$disableUsers2 | ForEach-Object {
Disable-ADAccount $_ -WhatIf
Write-EventLog -Source "DisableUsers.ps1" -EventId 9091 -LogName Application -Message "Attempted to disable user $_ because user has never logged in and $neverLoggedInDays days have passed."
}
- Save the above PowerShell script.
- Use the following command to register the script:
New-EventLog -LogName Application -Source "DisableUsers.ps1"
Linux
Enter the following command to find users that haven’t logged in within 45 days and disable them. Note that this also logs the users whose accounts have been disabled.
lastlog -b 45 | awk '!/Never log/ {if (NR > 1) print $1}' |
tee -a ~/usermod-L.log | xargs -I{} usermod -L {}
macOS
Set Account Policy to Disable Dormant Accounts
The following steps work for macOS Big Sur, Monterey, and Catalina. These may not function properly in macOS Catalina versions prior to 10.15.7.
- Edit the current password policy to contain the following within the “policyCategoryAuthentication”:
<dict> <key>policyContent</key> <string>policyAttributeLastAuthenticationTime > policyAttributeCurrentTime - (policyAttributeInactiveDays * 24 * 60 * 60)</string> <key>policyIdentifier</key> <string>Inactive Account</string> <key>policyParameters</key> <dict> <key>policyAttributeInactiveDays<key> <integer>45</integer> </dict> </dict>
- Save the file and exit to the command prompt.
- Load the new policy file by running the following command, replacing
$pwpolicy_file
with the name of the new policy file:/usr/bin/pwpolicy setaccountpolicies $pwpolicy_file
Disable a User Account via Workgroup Manager
- Open Workgroup Manager.
- When prompted, enter your local administrator username and password, then click OK.
- In the Basic pane, deselect the User can access account option.
Disable a User Account via the Command Line
The following command prevents a user from logging in and terminates their processes on LDAP/Password server users:
pwpolicy -a [domain administrator] -u [username] -setpolicy "isDisabled=1"
5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts
Administrator privileges should only be granted to dedicated administrator accounts. These administrator accounts should only be used to accomplish administrative tasks. Limiting administrator access in this way reduces potential attackers’ ability to escalate their privileges and do more damage.
5.5 - Establish and Maintain an Inventory of Service Accounts
- Create a list of all service accounts. Include the department owner’s name, the review date, the account’s purpose, and any other relevant information.
- Review the service account inventory quarterly to identify any accounts that need to be added or removed.
5.6 - Centralize Account Management
Account management should be centralized via an identity service or directory. One of the most common implementations is the use of Active Directory.
Windows Active Directory
What is Active Directory? Active Directory is a Microsoft service that uses Lightweight Directory Access Protocol (LDAP), Kerberos, and DNS. It allows for straightforward Windows user authentication and domain management.
For more information regarding Active Directory in Windows environments, refer to the Active Directory Domain Service documentation. Microsoft also has Azure Active Directory. For more information, refer to the Azure Active Directory documentation.
Linux Account Management
Linux has several options for account management. Linux natively has several account management tools such as sysadmin
and passwd
. There also exists FreeIPA, which is a open-source account management solution that is closest to Microsoft Active Directory. For more information on FreeIPA, refer to the FreeIPA documentation.
Other
If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.