I spend so much time thinking about the bleeding edge of access reporting that I often forget to mention the basics. In the next few posts, I’ll write about a few of those basic reporting needs starting today with Dormant Accounts on both Microsoft Active Directory and Novell eDirectory.
These are accounts that have been dormant or unused for some period of time. The most obvious indicator of a user account being dormant is that it has not been used to authenticate in a while. You can easily see this by looking at the user object’s attributes. Obviously, a monitoring-only approach would not be able to tell you what’s NOT happening. So, to effectively report on inactivity, you need a solution that would query your network directory on your schedule. NetVision’s NVAssess does exactly that. And rather than ONLY offering a list of dormant accounts based on your criteria (30 days ? 90 days?), we have built-in ability to provide a nice chart that quickly identifies the dormant user accounts that are still enabled and therefore represent a greater security risk. And we can take that a step further.
Many of our manufacturing customers, as an example, have a significant subset of users that do not regularly authenticate. These employees don’t use computers for their day-to-day routines but occasionally need to log on to the network to access HR or other information. In these instances, we can extend our dormant account reporting to include additional logic. For example, members of a certain group or with a given attribute value can be identified separately from other employees. This makes it easy to see which dormant accounts are expected (or normal) and which may represent a higher risk profile.
NVAssess can also auto-process the dormant accounts based the your selected criteria to disable those accounts, revoke permissions, remove group memberships, and move the account to a specified OU within the directory. This makes the entire process automated and hands-off. When your executive staff or auditors run periodic reports, they’ll never find a list of still enabled dormant accounts that are in breach of your security policy.