Researchers Reveal Windows Flaw Allowing Employees to Access Corporate Data After Accounts Are Supposedly Revoked - WTRF 7 News Sports Weather - Wheeling Steubenville

Researchers Reveal Windows Flaw Allowing Employees to Access Corporate Data After Accounts Are Supposedly Revoked

Information contained on this page is provided by an independent third-party content provider. WorldNow and this Station make no warranties or representations in connection therewith. If you have any questions or comments about this page please contact


Logs and Security Incident and Event Management (SIEM) products do not have the proper visibility to contain this type of threat

TEL-AVIV, Israel, May 6, 2014 /PRNewswire/ --

Today, Aorato revealed that a disabled account in Windows' network does not take effect immediately. In fact, due to design considerations disabled accounts - and the same goes for deleted, expired and locked-out accounts - effectively remain valid up to 10 hours after they had supposedly been revoked. As a consequence, so-called disabled accounts expose the corporation to advanced attackers seeking to gain access to the corporate network. Leaving employees who have had their user account disabled can also potentially continue and gain access to corporate data.

With 95% of Fortune 1000 companies running a Windows based network, this flaw affects enterprises across industries. Organizations seeking to comply with the Payment Card Industry (PCI) Data Security Standards, will find that this authentication flaw makes the requirement of the immediate revocation of any terminated user, a requirement that in reality cannot be met.

The problem lies in the Kerberos authentication protocol which is based on an organizational "ticket". The ticket eliminates the need for employees to re-supply their username / password each time they access a system. However, the fact that authentication and authorization rely solely on the ticket, and not on the user's credentials, means that disabling the user's account has no effect on the employees' ability to access data and services.

"Unfortunately, Windows's fails to solve this authentication flaw. Worse yet, Windows' Kerberos implementation does not externalize the ticket information through logs and events, and so exploitation of the flaw cannot be mitigated through traditional log and SIEM measures. A required solution needs to both enforce the termination of disabled user accounts as well as have visibility into the relevant information," said Tal Be'ery, VP Research at Aorato.

To mitigate, Aorato recommends organization to monitor network traffic to Windows authentication servers in order to:

  • Recouple the ticket with the user's account in order to eliminate the root cause of the problem
  • Monitor changes in user's account's state and activities and in particular, to the revocation of the user's account
  • Terminate requests of a disabled user requesting access to a resource using a valid ticket

To read more about this flaw, read here:

To learn more about Aorato, please visit:   

About Aorato 

Aorato protects Active Directory, the world's largest Kerberos deployment, from advanced targeted attacks. At the core of Aorato's founding was the acknowledgement that Active Directory is exposed - by default and by design. Combining the company's intimate knowledge of Active Directory and cyber-security, Aorato has filled in this blind spot with their Directory Services Application Firewall (DAF). DAF automatically learns the behaviors of all entities engaging directly, or indirectly, with Active Directory. By profiling the entities, DAF builds an interaction graph between all entities in order to detect in real-time suspicious entity behavior. Today, Aorato is a strong financially-backed company and boasts several enterprise customers.

Idan Plotnik

©2012 PR Newswire. All Rights Reserved.