The dormant admin account

The scenario:

• He left two years ago. His admin account is still enabled.

  
  

• Dormant accounts are attacker gold. They have established access, they don't trigger "new account" alerts, and nobody's watching them. Former employees, contractors who finished projects, service accounts for decommissioned systems - they accumulate like sediment, each one a potential entry point.

  
  

• These accounts are particularly dangerous when they retain elevated privileges. An attacker who compromises a dormant admin account inherits full access to systems the legitimate user hasn't touched in months. There's no baseline behaviour to deviate from, no user to notice something's wrong.

  
  

• Clean up dormant accounts by running regular access reviews - quarterly at minimum. Automate disablement after 90 days of inactivity. Require re-certification for privileged accounts. Include contractor and service accounts in your review scope. Create offboarding checklists that are actually followed.

  
  

• Account hygiene is boring until it's not. The breach that starts with a forgotten service account will be traced back to whoever was responsible for access reviews.