What is a ghost account and how to detect them on your Active Directory

In its report on cyber threats in 2022, ANSSI deplored an increase in cyberattacks against VSEs, SMEs and ISEs, which accounted for 40% of declared ransomware.

Shadow IT is a serious threat to companies but also to local authorities and represents a portion of cyberattacks.

‍

Ghost accounts are accounts in your Active Directory that are not used by anyone and are likely to be an entry point into your IS for malicious hackers.

These accounts deployed within your company, also known as shadow IT, are no longer under the control of IT departments.

What is an AD ghost account?

Ghost accounts can fall into several categories:

• « system » accounts: these are accounts that have been created by applications or third-party systems and are no longer used because the system is no longer in place. A good example is the « BESAdmin » account, well known to system administrators (less known to the public). This type of account was generally created during the heyday of BlackBerry and is no longer used.
• orphan user accounts: the users of these accounts have left the company and are still active.
• accounts that should be very rarely used and therefore 'vacant' for more than a year, such as emergency accounts.

On average, 25% of accounts are dormant in each Active Directory!

Why are these accounts dangerous?

These accounts represent a risk because they are not used by anyone, they are not in the scope of the IT department (which is already busy managing the accounts of current users).

Hackers can discreetly use these accounts to infiltrate servers, company files, etc. Especially since, among these dormant accounts, a certain number will have elevated user rights, which increases the significance of the vulnerability.

A former employee may also continue to have access to company data even though they have, for example, left to join a competitor.

In addition, here we are only talking about ghost accounts in the Active Directory and not in the company as a whole, but the digital native generation no longer hesitates to install and use personal, SaaS and unsecured applications to store company data. So how do you manage this second aspect if your own AD is not already exemplary?

How to detect these accounts?

These accounts are difficult to detect because it is a combination of several pieces of information, available from different departments of the company, that will allow them to be identified.

• The date of last use: this is a good initial indicator for identifying unused accounts (e.g., for more than 3 months), which are therefore potentially ghost accounts.
• all accounts whose password has expired for several months but has not been renewed.

‍

⚠️ Beware, however, of long-term absences: you don't necessarily have to deactivate an account for someone on maternity leave or sick leave.

You can, however, suspend the accounts of a person absent for a long period, which will ensure security during this time.

‍

Furthermore, if the account is used by a hacker, it will not be on this list...

• The list of current employees, provided by the HR department, can be very useful. Accounts that are not present in this list are likely to be "at risk."
  Therefore, it is necessary to cross-reference the HR file and the IT account file. This is an operation of reconciliation: users and accounts, we call it account reconciliation.

However, there are many exceptions: accounts created for service providers or simply system accounts.

How to handle dormant accounts in your AD?

At this stage, you need to understand the value of implementing an account management policy in your company. So, what are the steps to take to obtain a cleansed AD?

You can either delete them completely or properly deactivate them. What is the difference between the two solutions? Traceability. If you need traceability of your old accounts, we advise deactivation; otherwise, complete deletion is simpler.

To ensure proper deactivation, we recommend the following steps:

• identify dormant accounts with the steps seen previously;
• disable accounts;
• verify the membership of these accounts in groups. You have surely structured your AD into divisions, perhaps even created groups for important projects, access to certain premises, etc. Therefore, remove access to these groups.
• Change the account password with a tool of your choice to randomly generate a strong password.
• move this account to a directory of suspended accounts for easy retrieval (especially for traceability purposes);
• Update their account description sheets to clearly specify when, by whom, and for what reasons these accounts have been suspended.

How to navigate the exceptions within each method?

Indeed, you must, at this stage of reading, say to yourself:
1) what she is offering me is tedious to implement
2) the methods do not ensure 100% detection of orphan accounts!

As we have seen, dormant accounts can fall into several categories. Therefore, a simple, clean, and security-compliant solution exists: an Identity and Access Management (IAM) solution.

The power of an IAM lies in its ability to cross-reference technical data (Active Directory accounts) with HR data.
Thus, each account must be associated with an individual who is himself associated with the company through a contractual link (employee, contractor, etc.).

Ghost accounts are therefore very easily identifiable thanks to the combined intervention of HR and IT.
With an IAM tool, you are alerted if there is an "orphan" account, i.e., one that is not associated with any user.

Thanks to the Active Directory Connector (very simply installed on our platform), your Active Directory is always up to date and you visualize your accounts directly without having to perform any particular action.
You thus obtain a 'photo' in real time of all your active accounts and their association or not to a user. Thus, you can process each account that is not attached to any account. Practical!