3.5.6 has a weight of -1 points
(Identification and Authentication Family) 6/11
Disable identifiers after a defined period of inactivity.
Video:
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) for Account Inactivity Management
1. Overview
This document outlines the policy and procedures for managing accounts that are no longer in use within our system. The primary focus is on disabling user accounts that have been inactive for more than 180 days. This process is automated through PowerShell scripts and task scheduling, as part of our ongoing commitment to maintaining a secure and efficient operating environment.
2. Purpose
The purpose of this policy is to reduce the potential security risks associated with inactive user accounts. By regularly monitoring and disabling accounts that are no longer in use, we minimize the chance of unauthorized access and ensure that only active users have access to our system resources.
3. Scope
This policy applies to all user accounts within our system, regardless of their roles or permissions. It encompasses both regular user accounts and privileged administrative accounts.
4. Policy
- 4.1 Inactivity Monitoring: An annual service ticket is created to check for accounts that have not been logged in for more than 180 days.
- 4.2 Account Disabling: If an account meets the inactivity threshold, it will be disabled automatically.
- 4.3 Automation: This activity is implemented through PowerShell scripts and task scheduling, providing an efficient and consistent approach to inactivity management.
5. Technology Description
PowerShell, a task automation and configuration management framework developed by Microsoft, is utilized for this process. It includes a command-line shell and scripting language built on the .NET Framework, allowing for robust and flexible automation solutions.
6. Responsibilities
- System Administrators: Responsible for maintaining the PowerShell scripts, task scheduling, and monitoring the annual service tickets.
- Security Team: Responsible for overseeing the policy and ensuring that it aligns with organizational security requirements.
- Users: Responsible for informing the IT department if they anticipate their accounts will be inactive for extended periods.
7. Review and Updates
This policy will be reviewed annually or as needed to ensure that it continues to meet our organizational goals and regulatory requirements.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M) for Account Inactivity Management
1. Introduction
This POA&M outlines the steps, milestones, resources, and schedule required to implement and maintain the policy and procedures for managing accounts that are inactive for more than 180 days.
2. Actions and Milestones
Task | Description | Responsible Party | Start Date | Completion Date | Status |
---|---|---|---|---|---|
T1 | Implement PowerShell Scripts | System Administrators | MM/DD/YYYY | MM/DD/YYYY | In Progress |
T2 | Schedule Annual Service Tickets | System Administrators | MM/DD/YYYY | MM/DD/YYYY | Completed |
T3 | Monitor Inactive Accounts | Security Team | Ongoing | N/A | Ongoing |
T4 | Review and Update Policy | Security Team | Annually | N/A | Ongoing |
T5 | Educate Users on Policy | Security Team | MM/DD/YYYY | MM/DD/YYYY | Planned |
T6 | Conduct Audits for Compliance | Security Team | Semi-annually | N/A | Ongoing |
Example of a PowerShell script:
Below is a basic example of a PowerShell script that can be used to disable user accounts in Active Directory that have been inactive for 180 days or more. This script would need to be run by an account with appropriate permissions in the domain.
Please consult with your organization’s IT or security policy before implementing this, as it is only meant as a demonstration and should be thoroughly tested and customized to fit your specific environment.
————————————————————————————–
# Import the Active Directory module if not already loaded
Import-Module ActiveDirectory
# Define the threshold for inactivity
$inactivityThreshold = (Get-Date).AddDays(-180)
# Get all users who have not logged in since the threshold
$usersToDisable = Get-AdUser -Filter { LastLogonTimestamp -lt $inactivityThreshold } -Property “LastLogonTimestamp”
# Loop through the users and disable them
foreach ($user in $usersToDisable) {
# Disable the user
Disable-AdAccount -Identity $user
# Optional: Print out the user’s name for logging
Write-Host (“Disabled user: ” + $user.SamAccountName)
}
# Print completion message
Write-Host “Completed disabling inactive accounts.”
Hint:
This requirement does not necessitate automation; you could simply automate a ticket to your IT personnel to check this event, add it to your calendar, or take any other appropriate action. What’s essential is having a consistent process and policy in place
RELEVANT INFORMATION:
Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.