Implement policies for user account provisioning, de-provisioning, and auditing.
389-IAM-004 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-IAM-004 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-2, AC-2(3) |
| DISA SRG | SRG-APP-000025, SRG-APP-000163 |
Rationale¶
Stale and orphaned accounts - former employees, ended contractor engagements, decommissioned service accounts - accumulate over time and represent access that no one is actively monitoring or defending. An attacker who discovers a dormant account can use it to blend in with normal directory traffic, avoiding the behavioural anomalies that might trigger detection for a newly created account. The 389DS Account Policy plugin addresses the automated enforcement half of this problem by recording each account's last successful bind via lastLoginTime and automatically disabling accounts that exceed a configurable inactivity threshold (accountInactivityLimit), cutting off access before the account can be exploited. This automated gating must be paired with an organisational provisioning and periodic review process, because the plugin cannot enforce HR-driven offboarding, catch service accounts kept active by scripted logins but no longer legitimately needed, or verify that access levels remain appropriate as roles change. Together, automated inactivity enforcement and a structured review cycle satisfy AC-2 (Account Management) and AC-2(3) (Disable Inactive Accounts), reducing the overall attack surface and supporting compliance evidence for account lifecycle controls.
Check¶
Confirm the Account Policy plugin is enabled and configured to record login time and enforce an inactivity limit.
dsconf <instance> plugin account-policy show
Remediation¶
Enable the Account Policy plugin and configure inactivity-based de-provisioning.
dsconf <instance> plugin account-policy enable
dsconf <instance> plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime --alt-state-attr 1.1 --spec-attr acctPolicySubentry --limit-attr accountInactivityLimit
dsctl <instance> restart
References¶
Implementation Notes¶
The Account Policy plugin requires --always-record-login yes to function correctly; without it, the lastLoginTime attribute is not updated on every bind and the inactivity calculation is unreliable. The inactivity limit is expressed in seconds and is set per-policy entry via the accountInactivityLimit attribute on a policy object, then linked to users or subtrees through the acctPolicySubentry attribute. A restart is required after enabling the plugin.
For accounts owned by automated systems that bind on a regular schedule, the inactivity window must be longer than the longest expected gap between scheduled runs; otherwise the plugin will disable active service accounts. Pair this control with 389-LM-001 (audit logging) so that account disable events and all provisioning operations are recorded, and schedule a periodic ACI and account review that covers both human user accounts and service accounts (see 389-IAM-003).