by Josef Weiss
September 9, 2015
Managing a large number of user accounts is a challenge for most organizations. Unused and unnecessary accounts could potentially lead to user sprawl, exploitation, or misuse. Attackers will frequently exploit dormant accounts to impersonate once real users. As these dormant accounts were once legitimate accounts, and an additional layer of difficulty in tracking malicious users is added. Dormant accounts should be identified and removed when they are no longer needed. For organizations that must meet PCI standards, PCI Policy 8.5.5 states that inactive accounts must be removed/disabled at least every 90 days. Ensuring these accounts are identified and properly removed meets the Council on Cybersecurity (CoC), Critical Control 16 (CSC-16) requirements for a quick win in Account Monitoring and Control.
Nessus has several plugins and audit checks that report on inactive accounts. Audit checks have the ability to track users that have not logged on in the past X days, and users that have not changed their password in the last X days. By default, these checks are conducted within a specified SID range. This range is customizable within SecurityCenter by modifying the Start and End UID ranges in the SMB Use Domain and SMB Use Host to Enumerate Users within the Preferences tab of the Scan Policy.
This report presents data on Accounts with No Login, and Disabled Accounts along with Local and Domain User information, which assist in locating inactive users accounts across the organization quickly and easily. Utilizing the Account Status Indicator dashboard, analysts can attain additional account status details. The Account Status Indicators Dashboard contains several components that provide queries for plugins associated with user account settings and group memberships, and can be found in the SecurityCenter Feed.
Windows Guest accounts that are disabled are excluded from the results via regular expression, provided they are the only disabled account on the host. Windows Guest accounts are displayed in the details when grouped with other disabled accounts.
This report can be expanded with compliance checks from select Tenable Nessus audit files. Direct Feed and SecurityCenter customers who use Nessus to perform configuration audits of their Windows computers can benefit this technology. This feature provides enhanced auditing features, increased speed and is Tenable's foundation for compliance with NIST SCAP auditing requirements when auditing Microsoft platforms.
A powerful feature of these compliance checks for Windows is the ability to have conditional tests based on existing conditions. Detailed information can be found here: Version 2 of Windows compliance checks for testing and many compliance checks are available in the Tenable Windows PCI Audit file, available for download from the Tenable Support portal for licensed customers.
Utilizing these additional features, an analyst can expand on the reporting capability by adding report items that key on timestamps to report on the specific time that a users account has been inactive. For example, organizational policy may dictate that user accounts be deactivated but remain in place for a specific period of time when users leave an organization. The audit files can be configured with that timeframe in mind. When inactive/disabled accounts exceed that timeframe, an alert is generated at the next scan.
The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Compliance & Configuration Assessment. The report requirements are:
- SecurityCenter 4.8.2
- Nessus 5.2.7
Tenable's SecurityCenter Continuous View (SecurityCenter CV) is the market-defining continuous network monitoring platform. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Passive Vulnerability Scanner (PVS), as well as log correlation with Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network. LCE provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.
The report contains the following Chapters:
- Executive Summary - The executive summary presents a graphical overview of inactive and disabled accounts via several tables. The Disabled/Inactive Accounts by Count table presents details in regards to the total number of devices found to have disabled/inactive accounts on them. The Disabled Accounts by Timetable presents information on how long disabled accounts have resided on the systems. The Asset Summary looks at every defined asset list in SecurityCenter and displays the number of hits identified from plugins 10897, 10913, and 10915. These plugins identify users that have never logged in, or are disabled, and target Windows hosts specifically. All assets are presented in the table so the analyst can verify that hosts are in the appropriate categories (That no Windows hosts with disabled/inactive accounts are defined in an inappropriate asset list).
- Accounts with No Login - The Accounts with No Login chapter displays results from systems that have been found to have accounts that have never been logged in to. In addition to the Administrator and Guest accounts, Nessus has only checked for local or domain users between certain UIDs. Typically those ranges are between 5000 and 10000. To specify a different range, edit the scan policy and change the 'Start UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate local users' setting, and then re-run the scan.
- Disabled Accounts - The Disabled Accounts chapter displays results from systems that have been found to have accounts that have been disabled. In addition to the Administrator and Guest accounts, Nessus only checks for local or domain users between certain UIDs. Typically those ranges are between 5000 and 10000. To specify a different range, edit the scan policy and change the 'Start UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate local users' setting, and then re-run the scan.
- Enumerate Local Users - This table present user data collected from Nessus via SMB, displaying a listing of local users. This is an important reference because it contains the full, in depth details on each local account.