Dead doesn’t always mean dead – at least not in the case of Windows user accounts.
In an examination of Windows’ implementation of the Kerberos authentication protocol, researchers at Aorato have found that a disabled user account in can remain valid for up to 10 hours after having been revoked. As a result, disabled accounts can expose companies to attackers looking to gain access to a corporate network.
Kerberos is the default authentication protocol for Windows, and is implemented in Windows’ Active Directory. It works on the basis of ‘tickets’ that allow nodes communicating over a non-secure network to verify their identity to one another. These tickets contain all of the user’s relevant authentication and authorization information.
“This information enables the KDC (i.e. the Key Distribution Center. Consider it as the Kerberos’ ‘key master’ which grants specific access to other organizational services) to rely solely on the ticket information for the user’s authentication and authorization,” blogged Tal Be’ery, vice president of research at Aorato. “In other words, using a ticket Kerberos decouples the users’ credentials from the actual access to services.”
“Since Kerberos authentication and authorization is based solely on the ticket – and not on the user’s credentials, it means that disabling the user’s account has no effect on their ability to access data and services,” the researcher continued. “This creates a peculiar situation in which these supposedly ‘dead’ (i.e. disabled) users are actually still very much alive. As such, we aptly named the users in this limbo state as ‘Zombie Users’. These users will rest in peace only when their (TGT) ticket expires, typically after 10 hours.”
In addition, Active Directory does not externalize the ticket information through logs and events, meaning exploitation of zombie users cannot be mitigated through traditional log and SIEM (security information event management), according to Be’ery.
“Zombie Users pose a very prevalent threat for the security of the enterprise,” Be’ery explained. “In the current employment market, many companies suffer from a very high employee turnover rate. In fact, in some Fortune 500 companies the median employee tenure is less than a year, which means that half of their workforce is replaced within a year’s time. All of these leaving employees must have their user account disabled and therefore each of them is a potential Zombie User.”
Combining this stat with the fact that 95 percent of Fortune 1000 companies use Windows-based networks, yields a very ample attack surface for zombie users, he added.
As a solution, Aorato recommends re-coupling the ticket with the user’s account and monitor changes in the user account’s state and activities, particularly the revocation of the user’s account.
