Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Windows Authentication Protocol Allows Deactivated User Accounts to Live On: Report

Dead doesn’t always mean dead – at least not in the case of Windows user accounts.

Dead doesn’t always mean dead – at least not in the case of Windows user accounts.

In an examination of Windows’ implementation of the Kerberos authentication protocol, researchers at Aorato have found that a disabled user account in can remain valid for up to 10 hours after having been revoked. As a result, disabled accounts can expose companies to attackers looking to gain access to a corporate network.

Kerberos is the default authentication protocol for Windows, and is implemented in Windows’ Active Directory. It works on the basis of ‘tickets’ that allow nodes communicating over a non-secure network to verify their identity to one another. These tickets contain all of the user’s relevant authentication and authorization information.

“This information enables the KDC (i.e. the Key Distribution Center. Consider it as the Kerberos’ ‘key master’ which grants specific access to other organizational services) to rely solely on the ticket information for the user’s authentication and authorization,” blogged Tal Be’ery, vice president of research at Aorato. “In other words, using a ticket Kerberos decouples the users’ credentials from the actual access to services.”

“Since Kerberos authentication and authorization is based solely on the ticket – and not on the user’s credentials, it means that disabling the user’s account has no effect on their ability to access data and services,” the researcher continued. “This creates a peculiar situation in which these supposedly ‘dead’ (i.e. disabled) users are actually still very much alive. As such, we aptly named the users in this limbo state as ‘Zombie Users’. These users will rest in peace only when their (TGT) ticket expires, typically after 10 hours.”

In addition, Active Directory does not externalize the ticket information through logs and events, meaning exploitation of zombie users cannot be mitigated through traditional log and SIEM (security information event management), according to Be’ery.

“Zombie Users pose a very prevalent threat for the security of the enterprise,” Be’ery explained. “In the current employment market, many companies suffer from a very high employee turnover rate. In fact, in some Fortune 500 companies the median employee tenure is less than a year, which means that half of their workforce is replaced within a year’s time. All of these leaving employees must have their user account disabled and therefore each of them is a potential Zombie User.”

Advertisement. Scroll to continue reading.

Combining this stat with the fact that 95 percent of Fortune 1000 companies use Windows-based networks, yields a very ample attack surface for zombie users, he added.

As a solution, Aorato recommends re-coupling the ticket with the user’s account and monitor changes in the user account’s state and activities, particularly the revocation of the user’s account. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.