Locking vendor accounts after their job is over, locking inactive admin accounts at 90 days

greggles's picture

Old and unused accounts with admin access are a common entry point for attacks. They often have weaker passwords than a current account and the passwords are not being rotated making the accounts easier to brute-force over a long period.

There are two policies that create a solution to this problem:

  1. If a vendor will be doing work for a known amount of time, set their account to expire (be made inactive) on the date their work is likely to be done. This is required by PCI DSS 3.1 section 8.1.4.
  2. Lock any admin account if it has not logged in to the site in 90 days. This is required by PCI DSS 3.1 section 8.1.4.

The User Expire module has provided a way to achieve the first bullet point for a while, although it had a few bugs that made it unsuitable for production use. I'm happy to say that those bugs are now fixed in the 7.x-1.3 release as of this morning :)

There's a patch to add the 90 day inactivity lockout feature which I think works fairly well. I would, of course, love some additional help reviewing all the code/functionality in the module and especially this most recent patch.


User Expire 7.x-1.3 looks

christefano's picture

User Expire 7.x-1.3 looks great! Thanks, greggles. This is now a must-have module.


loopduplicate's picture

Very cool :)
I added it to my personal Drupal documentation here: http://loopduplicate.com/content/user-expire
I also submitted a small patch in the issue queue.


We've Added It To Our guide

mgifford's picture

That's great @greggles. We've added it to our security guide http://openconcept.ca/drupal-security