While they’ve been around for decades, in recent years we’ve all been introduced to squatters — people who move into an empty house that isn’t theirs and then take full advantage of the benefits of having a place to stay. They obtain utilities, setup mail delivery, maybe even meet the neighbors — all the while knowing that they shouldn’t be there.
The potential for an “Active Directory squatter” —someone who has access to systems, applications, and resources that they shouldn’t have — exists within your Active Directory as well. This situation often occurs when IT uses group memberships to provide access and either adds users to a group without considering the security ramifications or forgets to remove users from groups when new job responsibilities no longer call for specific access.
While both squatters may be undesirable, there are some distinct differences between an AD squatter and a house squatter:
- Active Directory Squatters Don’t “Move In” — They’re Made: Unlike house squatters who purposely and maliciously target homes that have been vacant for a while, Active Directory squatters are initially just users doing their job and are deliberately granted permissions by IT as part of that job. These users do not become squatters until they move from one position to another or are added as members of a group that gives them more permissions than they need. In essence, IT “moved them in” and made them squatters.
- Active Directory Squatters May Not Know That They’re Squatting: House squatters know that they’re squatters. It’s not their house, they’re not paying rent, etc. It’s self-entitlement in its purest form. In the case of AD squatters, because they didn’t create the situation (IT did), if they never try to access the application or data associated with their job function, they’ll never know they have these extra permissions.
- You May Never Know They’re Squatting: The very reason that Active Directory squatters have access is that someone in IT wasn’t pay attention when either the users changed roles or when they were granted new permissions via groups. In either case, because adding someone to a group is such a mundane task, most IT professionals simply want to get the task over with and never consider the security repercussions.
- Active Directory Squatters Can Do More Harm: The worst that a house squatter can do is not move out of your house or cause damage to the home. Granted, this is bad enough, but it is limited in scope. On the other hand, if Active Directory squatters are aware of having inappropriate access and maliciously use it, they could access applications and information that they shouldn’t, and the repercussions of such a data breach — if made public — could have a significant material impact on the company’s reputation and wallet.
- Active Directory Squatters Can Be an Avenue for Something Far Worse: If hackers compromise your network, one of their first actions is to identify the resources and information that the compromised account can access. If an account has too much access via group membership, IT’s inadvertent creation of Active Directory squatters only increases the risk of data breach.
The simple reality is that squatters exist in your Active Directory. To mitigate this situation, your first step should be to identify the security risks that lie within your specific AD environment and evaluate the state of your AD groups. Once you’ve done that, review and consider some best practices for managing groups in Active Directory.