A disabled account in Windows’ network does not take effect immediately, according to Aorato. In fact, due to design considerations disabled accounts – and the same goes for deleted, expired and locked-out accounts – effectively remain valid up to 10 hours after they had supposedly been revoked.
As a consequence, so-called disabled accounts expose the corporation to advanced attackers seeking to gain access to the corporate network. Leaving employees who have had their user account disabled can also potentially continue and gain access to corporate data.
With 95% of Fortune 1000 companies running a Windows based network, this flaw affects enterprises across industries. Organizations seeking to comply with the PCI Data Security Standards, will find that this authentication flaw makes the requirement of the immediate revocation of any terminated user, a requirement that in reality cannot be met.
The problem lies in the Kerberos authentication protocol which is based on an organizational “ticket”. The ticket eliminates the need for employees to re-supply their username / password each time they access a system. However, the fact that authentication and authorization rely solely on the ticket, and not on the user’s credentials, means that disabling the user’s account has no effect on the employees’ ability to access data and services.
“Unfortunately, Windows’s fails to solve this authentication flaw. Worse yet, Windows’ Kerberos implementation does not externalize the ticket information through logs and events, and so exploitation of the flaw cannot be mitigated through traditional log and SIEM measures. A required solution needs to both enforce the termination of disabled user accounts as well as have visibility into the relevant information,” said Tal Be’ery, VP Research at Aorato.
To mitigate, organization should monitor network traffic to Windows authentication servers in order to:
- Recouple the ticket with the user’s account in order to eliminate the root cause of the problem
- Monitor changes in user’s account’s state and activities and in particular, to the revocation of the user’s account
- Terminate requests of a disabled user requesting access to a resource using a valid ticket.