Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: User Access Management
Quick Take
On this week’s episode of Compliance Unfiltered, we cover the ins and outs of User Access Management.
- What is User Access Management?
- Why is it one of the most critical aspects of your security practice?
- How does one initially get things under control?
Need answers? No worries. We cover all these points in detail, and more on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who would definitely be on my team sheet for the Compliance World Cup. Adam Goslin, Adam, how the heck are you? I’m doing good, Todd, how are you? I can’t complain, I cannot complain at all. I understand today we’re going to talk about a little bit of a niche topic, but something that is actually surprisingly more applicable than people think, and that is user access management.
So talk to me a little bit more about what exactly is user access management. It’s going through, in most organizations, systems, whatever, there’s some conduit through which users gain access to systems, assets, etc. And it’s the act of looking at and reviewing those users that have access on a periodic basis, so that you can clean up stuff that, that needs cleaning up, making sure that all of your other functions within the organizations, like, oh, I don’t know, shutting people off once they’re gone from the organization, that that actually happened, making it happen. Sure. That people have, the right stuff, if you will. All of that is all balled into the user access management review, if you will.
Okay. Well, I mean, that’s messy. So, how does one initially get things under control in this realm? Well, the reality is that, any time you’re going into this for the first time, it’s messy. Most of the time, from what I’ve seen, there’s few organizations that I’m working with, etc, right out of the gate, that, Oh, everything’s perfect, right? There’s always some measure of cleanup, some a lot more than others. So, , As you go in to start doing the digging through, each of these accounts that you’ve got in your central access control system, typically Active Directory, LDAP, something along those lines. There should be a description that describes, what is this account for? What is the business purpose of this account? Why is it there, etc? The first time that you go in to really go take a look at this, especially with an organization that hasn’t had an ongoing, security compliance process and procedure for some period of time, or it’s never gone through an audit, it’s going to be a disaster. So, you’re going to walk into all sorts of stuff. It’s not organized, you’re going to have a whole ton of them without any type of labeling for, what is this account, etc. What you’re looking for is, you’re looking to make order out of the chaos, if you will. So, the first step in going through all of these accounts is to get them organized. Usually I’ll take the accounts, and I’ll try to split them logically into three different groups, so that I can make it a little bit easier to, deal with, with the various accounts. So what I’ll typically do is I’ll say, these ones are user accounts, these ones are vendor accounts, and these ones are system accounts. And then that way, when you’re setting up and adding new accounts to your Active Directory, then you can maintain that same kind of nomenclature, as you’re going through. So, , what I’ll usually do in that description field, I’ve typically used that. It depends on what access management system you’ve got, and capabilities it has, but almost every single one is going to have a description, sometimes a comment or description field. So I’ll usually just take whatever that field is and use it to include all the information that I want to have in there. So I’ll preface in front of the description, I’ll just put user colon, for vendor accounts, I’ll put vendor, vendor user colon, for any service accounts that I’ve got, I’ll put in service account, colon, and then the rest of the description can go ahead and the rest of the description can follow. Once you get through that first pass, that’s where you want to go through, at least get those blips into that list, so that now I can take the list and turn around and focus on each of the individual arenas, if you will.
Now, what should you look for on like internal user accounts? So for internal users, or users of the organization, if you will. The first thing that I’ll do is I’ll go in and I’ll look at the enabled user accounts. So typically with the user accounts, there’s an enabled, disabled flag. So I’ll go and I’ll look at the enabled users. We want to make sure that each of them has their own named account. That should be the case when you’re walking in. So you want to make sure that each individual user has their own named account, if You’re not seeing things on that list that would gear you otherwise. So as you’re going through and reviewing that list of internal users, the first thing, you go in and take a look at, should all those enabled accounts actually be enabled? Are there any of them that should be disabled? So, like I was saying a minute ago, somebody drops the ball, somebody doesn’t turn off a particular account. Oops, I forgot, Oh, whatever, Mary told me to wait until 10 PM and I forgot because it was a weekend, etc. So go through, certainly looking for terminated employees, looking for interns that moved on, bouncing the enabled accounts up against the active list of folks from HR. Those are all good mechanisms for cross-checking, double-checking the list that I’m sitting here faced with.
You shouldn’t have enabled accounts that are no longer needed.
Second arena is, look at when does the password expire? Number one, it sounds odd, but there’s a number of administrators that hate changing their passwords. So, they’ll just go in because they have the power and set their account never to expire. That’s fantastic, but violates every aspect of security and compliance that we have for the organization. So we want to make sure that all passwords have an expiration, that they all have an expiration period that makes sense. So like PCI is an example, they require passwords that expire within 90 days, that’s the rule as of right now. So, as you’re going down and you’re scanning the password explorations, is there stuff that is sitting out there with a password expiration this past 90 days? Which leads to the next arena, are there expired passwords? That should be a key indicator for maybe this user doesn’t need this account anymore. It may very well be that they’re still an appropriate and authorized user. No, they haven’t logged into the system in 95 days, but they may not need to until it’s 100 or 150 days or something, but they’re still a valid user. But that’s a good way for you to go in and have a discussion with the various levels and management, etc, to find out is this still appropriate? There’s typically a last login field. When was the last time this user logged in? So another thing that I’ll go in, I’ll look for it. The user’s never logged in, or hasn’t logged in for an extremely long period of time, another indicator that they may not need that particular account anymore. Are there any accounts that aren’t allocated to specific people? So some of the key indicators you’ll see are something like, intern 3 or, vendor 42, that type of thing, or just straight up admin, right? And the reality is, if you’re seeing generic accounts, then make sure that they are tied to specific individuals. Now, I’ve seen some approaches for some organizations where because of the fact that I’ll pick on the intern pool, because the interns turn over so fricking quickly, they get tired of deploying one for Mary Smith and then retracting it, etc.
And so, what they’ll do instead is they’ll create intern one through 10, and they will specifically allocate intern one for the next two months is Bob, and then intern one, is going to turn into Frank, and then intern one will be Mary type of thing. So as long as there’s a way for us to be able to, trace and track that back, etc, it’s okay to have that. But, certainly as you’re going through and doing the review you’re going to see some type of thing, and it allows you to go in and dig in a little bit deeper.
Another arena that I’ll also keep my eyeball out for is as you’re scanning down the list, I’ll typically put it into alphabetical order because I can’t tell you how many times that I’ve seen Bob Smith, Bob Smith 1, Bob Smith underscore, Bob Smith 73 etc. There might be reasons why Bob Smith has all of these freaking accounts. But again, it’s a sign in number one, it’s a sign of something to go look into, but it could be a sign that you’ve got a bad actor in the system, right? Somebody decided to go spin off of Bob Smith 1 etc, and nobody’s gonna really question it because Bob Smith is really a legitimate user in this environment. So, , there’s a bunch of different things that you can go in and look for when it comes to the users. The one pro tip that I’ll throw out there is when you’re seeing those users, some times I’ve seen use cases where you’ll get users that were terminated a time ago, but they still have an enabled account. And yet it’s a valid use case. And, sometimes the organizations want to keep that account open for a period of time so that they can go forward along emails, and things along those lines. So what they did is they went in, changed the password for the terminated user, redirected the email to go to their boss, and they want to leave that on for a period of time. That period of time, may fluctuate, organization to organization. It really depends on who the person was that left. In many cases, for folks that haven’t been there that long, I don’t know, 30 to 45 days, somewhere in there is reasonable. But honestly, I’ve had people that have kept those accounts up and running for a year and more. Imagine, it was something that was real fundamental to the organization that now is no longer there. And, well, those once a year emails are popping up, that they were the only one that ever got them, etc. Yeah, there’s some valid reasons for them to go in and do that.
Now, what about vendor user accounts? I know that that opens up an entirely different can of worms. Yes, sir, it does. So where you’ve got your vendor user accounts, for each one that you see on the list, there’s several things that you can go through. Number one, is this still a valid vendor? It sounds dumb, but a lot of people will, oh, well, we’re no longer using ABC plumbing type of thing, but nobody thinks to go back and shut these accounts off, etc. Maybe they need to be left on for a period of time and whatnot. So, first things first, go through the list of the vendor accounts you’ve got and figure out is this thing even still needed? Certainly, for those vendor users, going through the vendor’s users with the vendor, is Bob Smith still there? I mean, I’ll tell you what, the one thing that the vendors suck at is telling you, hey, by the way, Mary’s no longer here, and Georgette moved on and, blah, blah, blah.
And yet they forget about going back to all the locations where they had the vendor. So, when you get to that quarterly pulse check, it’s a great idea to go, revalidate the entire freaking list with the vendor. And, make sure, number one, are they still there? And, , number two, should they still have access? It may very well be that, Barb was amazing, and got a promotion, has moved out of day by day. And so, although Bob still works there, she, Barb, Barb still works there, she should no longer have access at this point, because that torch has passed over so and so. So, going through that list is important. And then once you’ve done those two, then go back to the list of things that I was just talking through with the individual internal users, and run through that same list of stuff through with those vendor user accounts, in most cases, the vendors will have named accounts for each individual person. But there are, occasions where the vendor has on their end, a kind of secure repository for administering their accounts that they need on secondary systems where they are tracking who is it that logged into this particular account, at what time and when, etc. So, if you run into a situation where yes, on your system it appears as if it’s one single vendor user that, a multitude of people are leveraging, but that’s where you want to go in and ask that vendor some very specific questions, ask them for proof or evidence of their ability to be able to tie this back, etc. And don’t take their word for it, do your due diligence when it comes to going through and having that discussion with the vendor. Most certainly.
Now, what about service accounts? What are service accounts? So, service accounts are different from those individual, , the internal user accounts and the vendor user accounts. First off, they aren’t associated with an individual, and they’re also typically set up without password expiration. So, these are system accounts that are used by the system. They’re often referred to as service accounts.
Basically, imagine that you need a user account for the system, for the web server, the database server, to authenticate into secondary devices, machine systems, a systematic way where the system is the only thing going in and doing that authentication. So, for those, they’re intended to be set up without anybody knowing what the passwords are, for those particular service accounts. So there’s a couple of different things that you want to do as you’re going through and looking at those service accounts. So first off, do you see any that appear to have expiring passwords? , if so, it may be a lead to, maybe this is labeled as a service account, but this is really a user account or a vendor user account, etc. It may be that they misconfigured the service account and they just the, tick, tick, tick, tick of the password expiration hasn’t gone off yet. So there’s things to be learned if you’re seeing password expirations on those service accounts. Second arena, go in and ask the question, do we still need this service account? Is it still being leveraged? That type of thing. And then the last the last arena for those service accounts is, as you go in and you look at the configuration, the AD configuration for that service account, make sure that interactive login is turned off. And what I mean by that is that when interactive login is turned on, that means that Adam is capable of typing in Adam’s username and Adam’s password and authenticating to the domain. If interactive login is turned off, let’s pretend Adam’s account was set up as a service account with interactive login turned off. Even if I knew the username and the password to that account and, I went to go authenticate to the domain, it would instant deny because the interactive login is turned off. The only capability for that account to be leveraged is systematically. So that makes it such that even in the unlikely event that somebody got a hold of it, then they can’t be going into the front end and wreaking havoc. Shoot, there was something else I was going to say about interactive login. It just escaped me, oh, well, let me ask you this, any parting shots and thoughts for us today? Yeah, I mean, the reality is that when you’re going through user access management, you want to dig deeper. If you’re seeing anything that isn’t set up properly, look at it as an opportunity. When you’re seeing termed users where the connections are turned off, credentials still on, maybe there’s a failure with another control within the environment. So, going through the user access management, really gives you an opportunity to go in, and take a good dive. It’s actually funny, the more that you go through and do this, like your first time, I told you this earlier, the first time you go through and do this, it is monstrously painful, but it gets a little bit easier, I liken it to, it’d be similar to going and wherever in your house, home, apartment, whatever, wherever it is that you store stuff. Let’s say you hadn’t gone and messed with that or cleaned it up in 15 years or something, right? The first time that you go in to forge into that arena and clean things up and go through everything, it’s a nightmare. But, as long as you have some proactive management, once you’ve got it cleaned up and then it’s a whole lot easier. The other pointer that I give folks is once you get through your Active Directory, your central authentication mechanisms, etc., then don’t forget there’s individual devices that could have local accounts. So think the local logins to the firewall, the local logins to your switches, things along those lines. Those systems are gonna have local users as well. Those need some care, feeding, attention, etc.. Obviously, if you get through the Active Directory first, then expand your search, get out all of those ones with the local accounts. And finally, we talked earlier on about going through, looking at your enabled accounts. That’s just so that you can sit and focus, right? But after a year, two, three, five, you’re gonna end up with a pool of disabled accounts sitting there, right? Go through those disabled accounts at some point in the game and clean up the mess , it’s super easy to just go disabled. But, the bottom line is, that at some point in the game, you’re gonna you’re going to go back and clean it up, so go through those disabled accounts. I mean, what I’ll try to push people to do, once they’ve got their periodic review process under control, once that happens, then go back through those disabled accounts as part of that quarterly process, so that you’re keeping up with it as you go.
And that right there. That’s the good stuff. Well, that’s all the time we have for this episode of compliance unfiltered I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less
