Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Identity & Access

Windows Authentication Protocol Allows Deactivated User Accounts to Live On: Report

Dead doesn’t always mean dead – at least not in the case of Windows user accounts.

Dead doesn’t always mean dead – at least not in the case of Windows user accounts.

In an examination of Windows’ implementation of the Kerberos authentication protocol, researchers at Aorato have found that a disabled user account in can remain valid for up to 10 hours after having been revoked. As a result, disabled accounts can expose companies to attackers looking to gain access to a corporate network.

Kerberos is the default authentication protocol for Windows, and is implemented in Windows’ Active Directory. It works on the basis of ‘tickets’ that allow nodes communicating over a non-secure network to verify their identity to one another. These tickets contain all of the user’s relevant authentication and authorization information.

“This information enables the KDC (i.e. the Key Distribution Center. Consider it as the Kerberos’ ‘key master’ which grants specific access to other organizational services) to rely solely on the ticket information for the user’s authentication and authorization,” blogged Tal Be’ery, vice president of research at Aorato. “In other words, using a ticket Kerberos decouples the users’ credentials from the actual access to services.”

“Since Kerberos authentication and authorization is based solely on the ticket – and not on the user’s credentials, it means that disabling the user’s account has no effect on their ability to access data and services,” the researcher continued. “This creates a peculiar situation in which these supposedly ‘dead’ (i.e. disabled) users are actually still very much alive. As such, we aptly named the users in this limbo state as ‘Zombie Users’. These users will rest in peace only when their (TGT) ticket expires, typically after 10 hours.”

In addition, Active Directory does not externalize the ticket information through logs and events, meaning exploitation of zombie users cannot be mitigated through traditional log and SIEM (security information event management), according to Be’ery.

“Zombie Users pose a very prevalent threat for the security of the enterprise,” Be’ery explained. “In the current employment market, many companies suffer from a very high employee turnover rate. In fact, in some Fortune 500 companies the median employee tenure is less than a year, which means that half of their workforce is replaced within a year’s time. All of these leaving employees must have their user account disabled and therefore each of them is a potential Zombie User.”

Combining this stat with the fact that 95 percent of Fortune 1000 companies use Windows-based networks, yields a very ample attack surface for zombie users, he added.

Advertisement. Scroll to continue reading.

As a solution, Aorato recommends re-coupling the ticket with the user’s account and monitor changes in the user account’s state and activities, particularly the revocation of the user’s account. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights