Inactive UsersApplies to

Applications written using Servlets or JSP.

What to Do

Automatically lock inactive user accounts. Log the instance when accounts have been locked.

Why

Inactive user accounts increase the attack surface of the application and can be used by an attacker as a means of entry.

When

Design your application so that inactive user accounts can be detected and locked. After deployment, set the system to lock inactive accounts after an appropriate amount of time.

How

Use the following steps when locking inactive user accounts:

  1. Set a lockout policy. Create the application's lockout policy. Determine the necessary duration of inactivity before an account can be locked/disabled. This policy can vary depending on whether the account is of a normal user or an administrator. For example, disable normal accounts after 45 days of inactivity and administrative accounts after 30 days of inactivity.

  2. Keep track of user inactivity. Establish a mechanism to keep track of the last successful authentication. Successful authentication can be tracked via logs or a timestamp, which resides in the user database. Example:

    sql> select username, last_login_date from users;
    +----------+-----------------+
    | username | last_login_date |
    +----------+-----------------+
    | adam | 2006-10-11 |
    | sue | 2006-10-11 |
    | jim | 2006-10-01 |
    | richard | 2006-10-01 |
    | julie | 2006-09-23 |
    | sam | 2006-06-23 |
    +----------+-----------------+
  3. Set a lockout mechanism. Establish a mechanism to verify the current period of inactivity and automatically set the disabled bit for inactive accounts. Using the application or database server's scheduler, activate such functionality to run during the hours with least user activity. Keep in mind that inactive accounts should be disabled, but not removed until it is confirmed that they should be completely removed. Create a log entry when an account has been disabled.

    For example, the following database transaction would lock all user accounts that have been inactive for more than 30 days. Such transaction should be scheduled to run once a day:

    sql> update users set locked = 1
    where (current_date - 30) > last_login_date

    Note: The statement above uses Oracle syntax. Please consult your database manual if you use a different database engine.

Note: PCI DSS requirements state that a user account should be locked out after no more than 90 days of inactivity.