I was working a license cleanup project lately and this morning, the automation went live. The system sent 182 emails to people who have not logged into the Enterprise Vault system in more than 80 days. This includes a number of people who haven’t logged in for more than a year.
I received a DM from a user who told me he got the email and logged in (FOMO #1) so his access is good now for another 90 days.
He stated that he did not see anything in the system for him. No elevated accounts that he could get the password for. He then goes on to tell me, he hasn’t used his elevated rights account in more than 6 months.
I look in the Active Directory and his account is missing. We delete any account that isn’t used for more than 90 days.
He then goes on to ask me if I can create a new elevated rights account for him so he can use the vault. This is FOMO #2, if you haven’t used an account for more than 6 months, YOU DON’T NEED THAT ACCOUNT!!!!!!!!
When you have elevated accounts in the AD, they pose a certain level of risk. When that account is there so that you have it “just in case I need it”, it is sitting there, just waiting to be compromised. When you use your account on a regular basis, you will know pretty quickly if someone changes your password.
Fortunately, being an elevated rights account, we vault it and rotate the password every night regardless of use. This offers some protection from users who suffer from FOMO and won’t let go of what they have.
Unfortunately, this goes the same for non-person accounts, better known as service accounts. Service accounts are accounts that are used on servers and in applications that don’t require a password change all the time. The general policy in most companies is to rotate the password every year but since automatic password rotation can and often does break something in production, people opt for a manual password rotation and we promise we will do that! Then they forget all about it.
I had a user tell me he needed access to the SCCM service account which used to be an admin on every Windows computer in the company. He told me he had no idea what SCCM was or what the service account was actually for BUT everyone on his team had access to it so he needed access to it as well. Again we have FOMO compromising security.
We’ve since mitigated the need for SCCM to be an admin but not all companies make that effort.
If you have something you don’t use or something you don’t have any understanding of, please don’t ask for it. I promise, you aren’t missing out on anything. If you find you suddenly have a need for access, it can be granted pretty easily so ask when you need it, don’t hold on to it longer than you need.