The SANS Top 20 Controls has a control named Account Monitoring and Control. Within that control is a Quick Win: Ensure that systems automatically create a report on a daily basis that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion.
We don't have an automated report of those types of accounts, and quite frankly, we have very poor visibility into account control. Coming from a DoD environment, I'm not used to having such lax controls. Slowly, I'm starting to push the company forward, but it is taking time.
My first thought was to look at the inactive accounts. I figured that these accounts would be low enough of the low-hanging fruit to start with, and here's how I have gone about finding them.
(Note: that I have created a master script that will do more than what this post details...I'm only describing inactive accounts at this time.)
1. This command is in a batch file: dsquery user -inactive 4 -limit 3000 > accountout.txt
Call the output file what you like. The -inactive 4 parameter tells dsquery to look for accounts that have been inactive for at least four weeks. I picked four to start with, as I realize that we have users that travel extensively. My hope is that once we manage the output, I'll be able to lower that number.
2. I took the output of the file, and copied it to Excel. From there, I went to Data>Text-to-Columns in order to break up the data nicely.
3. Column 2 seemed to be where I could differentiate between user and non-user accounts. I filtered on just user accounts and copied that to a new sheet.
My results were staggering. There are way too many accounts. My next step is to find or create a process to validate that these accounts are a) legitimate, and b) truly inactive. Spot checking a bunch of these users revealed users that are contractors. And, if I have to guess, they are no longer with the company. Prime targets to attack - which is why they should be disabled or deleted.
Once that's done, I'll need to automate the process and schedule it to run weekly or so. As for locked-out, disabled, and password length checking...those will be added in time.