Connect with us

Hi, what are you looking for?


Identity & Access

Windows Authentication Protocol Allows Deactivated User Accounts to Live On: Report

Dead doesn’t always mean dead – at least not in the case of Windows user accounts.

Dead doesn’t always mean dead – at least not in the case of Windows user accounts.

In an examination of Windows’ implementation of the Kerberos authentication protocol, researchers at Aorato have found that a disabled user account in can remain valid for up to 10 hours after having been revoked. As a result, disabled accounts can expose companies to attackers looking to gain access to a corporate network.

Kerberos is the default authentication protocol for Windows, and is implemented in Windows’ Active Directory. It works on the basis of ‘tickets’ that allow nodes communicating over a non-secure network to verify their identity to one another. These tickets contain all of the user’s relevant authentication and authorization information.

“This information enables the KDC (i.e. the Key Distribution Center. Consider it as the Kerberos’ ‘key master’ which grants specific access to other organizational services) to rely solely on the ticket information for the user’s authentication and authorization,” blogged Tal Be’ery, vice president of research at Aorato. “In other words, using a ticket Kerberos decouples the users’ credentials from the actual access to services.”

“Since Kerberos authentication and authorization is based solely on the ticket – and not on the user’s credentials, it means that disabling the user’s account has no effect on their ability to access data and services,” the researcher continued. “This creates a peculiar situation in which these supposedly ‘dead’ (i.e. disabled) users are actually still very much alive. As such, we aptly named the users in this limbo state as ‘Zombie Users’. These users will rest in peace only when their (TGT) ticket expires, typically after 10 hours.”

In addition, Active Directory does not externalize the ticket information through logs and events, meaning exploitation of zombie users cannot be mitigated through traditional log and SIEM (security information event management), according to Be’ery.

“Zombie Users pose a very prevalent threat for the security of the enterprise,” Be’ery explained. “In the current employment market, many companies suffer from a very high employee turnover rate. In fact, in some Fortune 500 companies the median employee tenure is less than a year, which means that half of their workforce is replaced within a year’s time. All of these leaving employees must have their user account disabled and therefore each of them is a potential Zombie User.”

Combining this stat with the fact that 95 percent of Fortune 1000 companies use Windows-based networks, yields a very ample attack surface for zombie users, he added.

Advertisement. Scroll to continue reading.

As a solution, Aorato recommends re-coupling the ticket with the user’s account and monitor changes in the user account’s state and activities, particularly the revocation of the user’s account. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...