An orphaned account (also called an orphan account) is a user account (employee or vendor) that retains access to applications and systems on a network without an active owner. There are many reasons why the original account owner (identity) may be inactive in the system.
The security risks of orphaned accounts stem from the presence of leftover privileges and access rights. Because they are unmanned, attackers use these accounts to set up footholds on corporate networks and use any remaining permissions to move around.
Inside this glossary definition, learn more about what causes orphaned accounts to occur, their top security risks, and how to discover and eliminate them in your own network.
Most companies have a concrete identity lifecycle management process for deactivating user accounts once they are no longer needed. This deactivation of access is referred to as ‘de-provisioning.’ This may process may be initiated when the employee or vendor user is transitioning into a new role within the organization, are no longer employed by the organization, or has discontinued using their account for other reasons.
Occasionally, organizations will utilize a grace period between complete de-provisioning, in the circumstance where an account is needed again after a brief time has lapsed. Failure to de-provision will create an orphan account that continues to exist on the system—sometimes for years.
However, even with a robust de-provisioning plan in place, orphan accounts can occasionally slip by unnoticed. Historically, Active Directory, LDAP, and other types of directory service accounts are the most prone to becoming orphaned because of their backend existence. However, even seemingly benign, abandoned corporate email or social media accounts can give attackers the backdoor access they need to infiltrate the enterprise and execute lateral movement.
The presence of orphaned accounts poses an immense security risk and runs afoul of identity management best practices and the security principle of least privilege.
Any kind of user account that falls into the hands of malicious actors can provide quick access to potentially sensitive systems and applications. However, when exploited, orphaned accounts can be more dangerous than active user accounts. Because there are no active users on an orphaned account to flag anomalies, attackers can utilize these accounts to move across a network under the radar. As a result, orphan accounts—particularly those that provide privileged access, are prized by hacking groups.
In some scenarios, hackers will gain entry to a network through a low-level exploit, such as phishing or social engineering. Then, the hacker will move laterally across the network until they stumble upon an orphaned account with privileged access. From this account, they will escalate their attack to more sensitive areas of the network.
Orphan accounts present an easy starting point for attackers
These identities present an attack surface ripe for escalation along the cyber-attack chain. Email inboxes, application credentials, and other unchecked privileges can provide attackers with ample resources to move laterally into the network—even if an account has been inactive for years.
Old accounts may have aged out of security protocols
The longer an orphan account sits, the weaker it becomes. Updated security policies like password changes and authentication protocols will not always apply to legacy orphan accounts. It is a safe assumption that security standards on the date of an account’s intended de-provisioning were less stringent than today’s—and attackers are keenly aware of this.
Out-of-date user assignments may be providing more access than intended
Accounts may have been granted permissions using out-of-date user group policies. Many accounts have privileged access to certain applications and systems as required by the active user’s role. Once these accounts become orphaned, however, those permissions may have been retained or even escalated as systems underwent updates, re-configurations, or migrations due to user group negligence.
Auditing is the most effective method for identifying orphan accounts. Service resources across the network must be audited with a regular cadence to ensure privileged accounts are being utilized regularly, and those not being used are adequately de-provisioned.
These audits should also identify the exact resources that accounts need access to, their current level of security compliance, and their intended business purpose. This ensures active users retain the adequate level of access to complete their work, while also ensuring orphaned accounts are marked for de-provisioning in a timely manner.
Identify and bring all accounts and credentials under management
The first step to eliminating orphan accounts is to know where they are. And any privileged accounts should take precedence. User, local, application, service, and other accounts with privileged credentials must be monitored and managed.
Automate account provisioning and de-provisioning
All on-boarding and off-boarding processes should be trackable and automated. This eliminates the administrative guesswork that might result in over-provisioning—and reduces the risk of an orphan account slipping through the cracks.
Attribute granular access policies based on roles
Role-based access distribution is a must. This ensures every role within the organization has all the access they need to complete their work but are not assigned access to systems outside of their purview. If a user account becomes orphaned, this narrows the window of opportunity for a threat actor to move laterally.
Adhere to least privilege, zero trust, and other security best practices
Finally, it’s essential to implement other security best practices, such as least privilege, session monitoring, segmentation, and zero trust security principles, to name a few. Thus, even if an orphan account does occur, the scope with which it can be misused or its activity go undetected, is vastly minimized.
Identifying where over-privileged, orphaned, and other accounts exist on the network is a critical step toward ensuring a strong security posture and reducing risks.
The Privileged Access Discovery Application (PADA) is the most powerful free tool of its kind. PADA identifies account misconfigurations. including overprivileged accounts, service accounts using user identities, and unused accounts. By identifying the age of passwords, it points to unused accounts or accounts that have not had their passwords rotated. It also finds remote access tools you might not know are present on your network.
Use the Privileged Access Discovery Application to run unlimited scans—on up to 1,000 network targets at a time.