5

After an IT audit of my company, the report said that our Active Directory contained too many non-personal user accounts. This caused a risk of misuse and unauthorized user access.

I checked my company's Active Directory today and noticed a lot of non-personal user accounts, but most of them seem to be related to systems that 'ought' to be running on the server. If I just deactivate them, I suppose some applications would break.

Do you guys see this as a potential security risk? Is there some way of logging in with one of these system accounts?

Francis
  • 51
  • 1
  • 3

4 Answers4

8

You need to distinguish between two types of non-personal account:

  • Generic accounts are accounts that multiple humans can login to. These are generally bad as you lose accountability. If John and Fred both have access, and a malicious event occurs, who do we blame - John or Fred?

  • Service accounts are used by applications, not by humans. Provided these are configured so a human cannot use them (which generally means tightly controlling the password) then these are not a major security risk.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • Thanks for your reply. This post is regarding Service accounts. So you're saying that, in theory, someone could use a service account to log in to the system? This would be a legitimate risk in the scenario of a system administrator wanting to leave no trace leading to himself and using a service account for some access. – Francis Jan 23 '14 at 11:26
  • 2
    @user3225217 usually you'd deny "logon interactively" to a service account, but a sysadmin who knows the password could still do things like mount shares, access databases, whatever privileges the account has. So the best control is to randomly generate a complex password and store it in a locked-down config file. Still some risk that a sysadmin could get the password. In general it is incredibly hard to fully protect yourself from malicious sysadmins. – paj28 Jan 23 '14 at 11:55
  • Late to the show, but worth adding - it is impossible to protect yourself from a malicious sys-admin. However, in Server 2012 and later there are Group Managed Service Accounts, which not even the sys-admin has the password for, because it's internally generated by AD. Not suitable for every case, but they can still reduce your attack surface area dramatically. https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/ – Thomas Jan 16 '18 at 18:38
4

Security issues don't come from the presence of "anonymous" user accounts, but from user actually using them to perform actions (because then the user are not longer accountable: logs will tell you "Administrator did it" and not "Bob did it"). Logging as some account simply means knowing the associated password and using it (however, accounts can be locked down by preventing their use for interactive sessions; that's done with GPO).

The auditor is having a knee-jerk reaction: he saw "many" such accounts, and thus spewed out the generic warning about anonymous accounts. However, this is somewhat misguided: the number of such accounts is not the problem; a single anonymous user account can be enough to lose accountability. It is just that the auditor thought that the presence of all these accounts is somehow indicative of a widespread local tradition of using anonymous accounts. A more thorough auditor would have analysed behaviours, to see if users actually use non-nominative accounts in their daily jobs, instead of mindlessly firing up "Active Directory Users and Computers" and counting the accounts.

On a general basis, you may want to "lock down" non-user accounts; a simple way is to make sure that no human knows the corresponding passwords. If the password must be entered as part of a configuration operation, then the password should be retrieved from the safe where it is kept (printed on some paper). Since such passwords need not be remembered, and are typed infrequently, they can be long, fat and random.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Thanks for your response. I think you have a point. He should have analysed whether the accounts were actually used by anyone. On the other hand, he asked whether they were ever used by anyone, and to be honest, I don't know. That was actually something else I was wondering about. How can I check that noone uses these accounts? I have "inherited" the system and most of the accounts were there before I started. And even if we find out that they have been used by examining logs, we can't be sure if the account has been used by a system or by a user, can we? – Francis Jan 26 '14 at 20:40
2

Usually you can't log in with an OS user unless someone has created an user with the very same name to trick the admin. You shouldn't be worry about that but you can review these users from time to time and check if they are being genuinely used by the system or by a suspicious user.

Nevertheless, the IT audit people are right, it is considered a bad practice to use "general users" instead of nominative users, the main reason is that sometimes it will be very difficult if not impossible to guess which real person has done something presumably bad.

kiBytes
  • 3,450
  • 15
  • 26
  • Thanks for your response. I completely agree with the risk of "general" users, I should have said "non-human" users. I clearly understood the auditor as though someone might use a system user account which pertains to some program, to gain access to the AD. But do such accounts even have passwords? I just think he was wrong regarding such accounts. – Francis Jan 23 '14 at 10:03
  • That is the first phrase of the answer, isn't it? – kiBytes Jan 23 '14 at 10:05
  • Yes.... "usually".. – Francis Jan 23 '14 at 11:22
  • Ahm, sorry, yes, it is usually. Because it will depend on the OS we are considering, for example, in linux system users don't even have a password (have a look to the shadow file), in windows this accounts are in a different space of the security subsystem, so you can't log in with them. So you won't have any problem. Anyway, since I don't know how every OS behave in this matter I prefer to use the word "usually" =) – kiBytes Jan 23 '14 at 12:20
1

What they should be asking is - How are generic accounts managed and do you know what they are for? The amount is irrelevant if passwords and interactive login are managed.

Pedro
  • 11
  • 1