Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.
There are two policies that create a solution to this problem:
- If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
- Lock any admin account if it has not logged in to the site in 90 days. This is required by PCI DSS 3.1 section 8.1.4.
The User Expire module has provided a way to achieve the first bullet point for a while, although it had a few bugs that made it unsuitable for production use. I'm happy to say that those bugs are now fixed in the 7.x-1.3 release as of this morning :)
There's a patch to add the 90 day inactivity lockout feature which I think works fairly well. I would, of course, love some additional help reviewing all the code/functionality in the module and especially this most recent patch.
Comments
User Expire 7.x-1.3 looks
User Expire 7.x-1.3 looks great! Thanks, greggles. This is now a must-have module.
Thanks
Very cool :)
I added it to my personal Drupal documentation here: http://loopduplicate.com/content/user-expire
I also submitted a small patch in the issue queue.
Cheers,
Jeff
We've Added It To Our guide
That's great @greggles. We've added it to our security guide http://openconcept.ca/drupal-security
--
OpenConcept | Twitter @mgifford | Drupal Security Guide