In IT audits of Active Directory, Randy Franklin Smith frequently find a surprising number accounts that should never have been created or that were created without following the organization’s standards for naming convention or other policies. One reason that this happens is because too many people in the IT department have authority to create accounts. Intruders often create backdoor accounts. Successful intruders, both human and automated, often create backdoor accounts to ensure continued access and to obfuscate their activity. Flame, a recent weaponized malware, specifically attempted to create such an account whenever it discovered that it was running under the authority of a domain admin. Stop them when the account is created.
So tracking down new accounts is crucial — but also time-consuming and often inconclusive.
The best time to track down provenance of a new but non-compliant account is when it’s first created:
How to monitor and review new accounts There are two ways to review and respond to new accounts:
As you review each account, do your best to answer the following questions:
If the account turns out to be unauthorized or non-compliant, you will need to follow up with whoever created it. The advantage with using the first method is that the security log event 4720 tells you who created the account.
Read more about Randy’s 10 steps to cleaning up Active Directory