Break things, write reports

AD - Account Lockout vs Disabled

Disabling an account in AD isn't instant, but a lockout is.

Tags — | windows | active-directory | Categories: — windows |
Posted at — Oct 17, 2019

tl;dr - Disabling an account in AD will replicate normally, which can give an attacker quite a bit of time :)

What

Account lockout vs Disabled account

‘Normal’ replication, how fast is that?

Curiously, an account unlock is not immediate - so you can be waiting 180 minutes for an account lock to come into effect in a remote office.

You can change inter-site to replicate immediately with ‘Inter-Site change notification’, but I haven’t seen it deployed in any of the places I’ve checked - but perhaps it’s common elsewhere?

Why does this matter

If an insider threat materialises (read: an attacker you had on payroll), disabling their account isn’t going to do much, almost to the point of they could drive to another remote office and still log in to steal a bunch of stuff.

This is completely ignoring that kerberos tickets for an account are going to last for hours, so if an attacker steals kerberos tickets, you’re going to be in grief for a few hours.

Also worth mentioning that if their machine is still logged in, and they didn’t lock their windows box - they’ve still got a machine they can use until other systems stop accepting kerberos credentials (i.e. sharepoint, where you’re keeping all the goodies)

Keeping that in mind, if you want to offboard your employees: