In IT audits of Active Directory, Randy Franklin Smith frequently find a surprising number accounts that should never have been created or that were created without following the organization’s standards for naming convention or other policies. One reason that this happens is because too many people in the IT department have authority to create accounts. Intruders often create backdoor accounts. Successful intruders, both human and automated, often create backdoor accounts to ensure continued access and to obfuscate their activity. Flame, a recent weaponized malware, specifically attempted to create such an account whenever it discovered that it was running under the authority of a domain admin. Stop them when the account is created.
So tracking down new accounts is crucial — but also time-consuming and often inconclusive.
The best time to track down provenance of a new but non-compliant account is when it’s first created:
- You can identify who created the account.
- The account creator is still at your company.
- The creator remembers why the account was created.
How to monitor and review new accounts There are two ways to review and respond to new accounts:
- Monitor AD domain controller security logs for event ID 4720 (you need to enable the User Account Management audit subcategory).
- Run the Output-ADUsersAsCSV script and sort on the WhenCreated column.
As you review each account, do your best to answer the following questions:
- Is there a work ticket or other corroborating documentation for this account?
- Does the account match established naming conventions?
- Does the account comply with your organization’s other account-creation standards and policies?
If the account turns out to be unauthorized or non-compliant, you will need to follow up with whoever created it. The advantage with using the first method is that the security log event 4720 tells you who created the account.