SLAC Computer Security
Search SLAC
Account Closure Project
Team Lead: Steffen Luitz (or maybe Teresa...?)

SCCS needs to create a process to close all accounts which are no longer being used. As of December 2007 we had approximately 950 Unix and 1600 Windows accounts which had expired. We must get all these disabled and closed and we must create a process and procedure to take care closing expired accounts on a regular basis (weekly/monthly).

Definition of expired: it has been at least 12 months since the last password change.

Status Update: 3/25/09
Unix:
620 Disabled Unix accounts in RES. Asked unix-admin to mass delete any that have been disabled > 6 months. Len requested they be deleted in smaller groups to reduce the load on hot seat in case of responses to recover accounts. I see evidence of automation in RES logs (e.g. root@nis1 is doing res disable commands as recently as 3/24/09). Need DB group to step in here to get into account closure process referred to in Step 6 below.
Windows:
103 Disabled Windows accounts in RES. A search of Disabled accounts in Active Directory finds 693 accounts. There is some automation going on in Windows and the Pending Delete bucket has 573 accounts. Need DB group to step in here to: 1) mark the RES entries as "disabled" and 2) get into account closure process referred to in Step 6 below.
TASK # PRE-REQ TASK DESCRIPTION CONTACT DONE
1 none Create list of Unix "expired" accounts. These are accounts where the password was last changed before 3/1/07. Karl 02/29/08
2 none Create list of Windows "expired" accounts. We have the list now. It is 1180 accounts. Some of these people might have never gotten a pw expiration warning. Some are secondary accounts which are not logged into.

3/4/08: Asked Steffen and JP if we should send out a final warning to these people before administratively disabling them. Yes. We have to. There are confirmed cases where emails were not sent out.

3/5/08: Ben and JP looking into situation. He needs to confirm the email notification logic is correct (take primary email address of owner of account) and will also have to do a special run to generate emails for these windows accounts.

3/12/08: Decided in the Security Team meeting to _NOT_ send the Windows last warning message. We will just submit the accounts for closure to the mass closure Oracle table and let Kamil send out the account closure emails.

3/15/08: Create list of 1297 accounts for George/Ven. These are accounts where the password was last changed before 3/1/07.

Teresa 03/15/08
3 1 Disable all the Unix accounts and update RES to show "unix" account is DISABLED. Alf 03/03/08
4 2 Administratively disable all the Windows accounts. This process is automated. Part 1 is password is scrambled and Description is changed to say [Password Scrambled]. Some time later the account is moved to Pending Delete bucket and the account is disabled. JP, Teresa 08/15/08
5 4 Automate the process to synchronize RES enabled/disabled status based on whether the account is currently enabled or disabled in AD. ACTION: Teresa asked George and JP on 3/25/09. JP, George  
6 none Create web front-end and back-end scripts to be used for account closure processes (similar to "gone" process).

3/12/08: In progress. Teresa reviewed Ven's progress and plan and replied to him and Steffen via email.

George,  Venkat  
7 6 Train SCCS Accounts group in the use of the account closure tools. Teresa  
8 7 We'll need an automated process to catch the dangling accounts like oracle (an oracle account w/o either a windows or unix account is useless and should be closed as well). We have some automation here in that we find active owners or we delete Oracle accounts whenever they end up being owned by GONE people. Teresa  

 

Owner: SLAC Computer Security
Page Created: 02/29/2008
Last Updated: 07/22/2010
Feedback: Please send to
Computer Security Feedback