An orphan account, also referred to as an orphaned account, is a user account that can provide access to corporate systems, services and applications but does not have a valid owner. This is the opposite of an active user account, which is an account owned by an active employee. Types of accounts that are susceptible to becoming orphaned include Active Directory and OpenLDAP accounts.
When an employee leaves the company, transitions into a new role or no longer needs an account, each organization should have a process in place for properly deactivating said accounts. Typically, the company or provider should preserve accounts that are no longer necessary for a brief, predetermined period of time in case of a status change. Once the grace period is over, the company should delete the account and remove all of its information, a process called de-provisioning. However, when this not completed, those accounts become orphan accounts that are unused but continue to exist in its original system.
Orphaned accounts are associated with high security risks and should ideally never exist within a company. For example, if a bank employee quits their job but retains access to employee credentials, they could potentially have the power to continue receiving unauthorized access to customer accounts. Attackers can also use these accounts to exploit an entire system.
Orphaned accounts and security
Orphaned accounts can pose security risks for the following reasons:
- They act as an attack surface for unauthorized users: Unused accounts can still offer access to information such as email mailboxes, application credentials, sensitive data or intellectual property. Former account owners or attackers could gain access to private information and valuable resources even though the account is no longer associated with legitimate permissions.
- They could allow applications to continue running: Application accounts that are not properly disposed of could potentially continue to operate and consume bandwidth or resources. This problem is especially frequent with service accounts as often other applications will continue to use the account due to error or misconfiguration.
- They become weaker and more vulnerable with time: When a user is no longer logging into an account, the account itself will not evolve with security best practices. Password updates and security policy modifications will not be applied to orphan accounts, forcing it to be frozen in time with weak credentials that could be guessed.
- They raise the probability of illegitimate access: Even if the original account owner does not try to access the account again, credential sharing or hacking could allow illegitimate users to spy on an entire system. This is a large threat because the password was never registered to this user in the first place and may be unable to be identified.
How to avoid orphan accounts
Due to the vulnerability and security threats associated with orphaned accounts, organizations should avoid harboring them. The most efficient way to identify orphan accounts and cut off inappropriate access is to conduct an audit of user accounts. Each audit should determine the resources that legitimate accounts need to access, the business purpose of each authorization, accounts that are not being used regularly and accounts that do not follow security protocols. Identifying these factors will ensure that authorized users continue to have uninterrupted access to required information while unmanned accounts are removed.