Why Stale Account Cleanup is Important and How To Do It

This week, SaaS Alerts has released a new account management functionality within its SaaS security monitoring tools. The purpose of this feature is to assist Partners and their client organizations with the task of “cleaning up” inactive accounts.

What are inactive accounts?

Inactive accounts are user accounts that are no longer required by members of an organization to gain access to their resources. A key identifier for these stale accounts is that they have not signed into your environment for an extended period of time.

Guest User Accounts & Vulnerability

Many of these inactive accounts take the form of guest accounts. These accounts are created for day-to-day file sharing activities with individuals outside of your organization. One method of sharing data occurs by designating access to outside domains, which triggers the creation of a “guest account” to permit access to the shared resources. While this enables your organization a quick and convenient way to share resources, it also leaves a security hole in your environment.

Within many organizations, these guest accounts are never reviewed to determine whether they should remain operational and if access into the sharing organization’s tenant is still necessary after longer periods of inactivity.

Inactive guest user accounts are vulnerable to security breaches because they allow unauthenticated network users to sign in as a Guest without a password. These unauthorized users can access any resources that can be accessed to the Guest account. This means that any shared folders with permissions that allow access to the Guest account also allow access to the Guests group, and the Everyone group—which could lead to the exposure or corruption of your organization’s data.

Former Team Members’ User Accounts

Organizations and their service providers may not always block access or remove accounts for team members that have separated from the client organization. Accounts left behind for former team members pose an obvious risk. They can be exploited either by the former team member or bad actors that may take advantage of the fact that such accounts are no longer “seen” daily. As a result, nefarious activity may go undetected.

Best Practices for Stale User Accounts

When an account is no longer required for resource access, and it remains an entry point to the Office 365 tenant it can be considered “stale”. To protect your environment from data breaches, it is recommended to follow these guidelines:

• Remove stale accounts from the tenant to follow security best practices and to maintain the smallest possible attack surface to the Office 365 environment.
• Set accounts to “block sign-in” if it is uncertain whether or not the account may be required in future.
• Deploy SaaS Alerts new account management feature, which allows MSP Partners to quickly filter for any accounts (not only guest user accounts) that have been inactive for an extended period of time.

Microsoft itself acknowledges that good security hygiene includes removing stale accounts, whether guest users or former accounts that are no longer active, and provides additional admin tools when premium P2 licensing is in use with an Office 365 tenant.  Unfortunately, P2 licensing is not economically feasible for every customer organization. SaaS Alerts hopes this new tool will help MSP Partners better serve the security needs of the many SMB customers which they serve.