Profile Applicability:
Level 1
Description:
User accounts that have been inactive for a specified duration must be regularly reviewed and disabled or removed if no longer required. This reduces the risk of unauthorized access from dormant accounts and helps maintain a secure and manageable user environment.
Rationale:
Inactive user accounts can become security liabilities if left unmanaged, as they may be exploited by attackers or lead to unintended access. Regular review and removal of such accounts enforce the principle of least privilege and support compliance with security policies and standards.
Impact:
Pros:
Minimizes attack surface by removing unused accounts.
Enhances overall security posture.
Supports compliance with regulatory and organizational requirements.
Simplifies user management and auditing.
Cons:
Requires ongoing administrative effort.
Risk of accidentally disabling accounts still in use if reviews are not thorough.
Default value:
Some systems do not have automatic processes to identify and remove inactive users.
Audit:
Review user account activity logs to identify inactive users. Verify that periodic reviews and removals are documented and enforced.
Remediation:
Establish policies defining inactivity thresholds and review cycles. Implement automated tools to flag inactive accounts. Train administrators on procedures for disabling or removing users securely.
References:
CIS Controls v8, Control 5 - Account Management: https://www.cisecurity.org/controls/account-management/
NIST SP 800-53: AC-2 Account Management: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Microsoft Azure AD Inactive Users: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-inactive