4. Shared Active Directory Account FAQs
Here, we will address all questions about shared accounts:
What is a shared account in Active Directory?
A shared account is basically just that - an account that can be utilized by multiple users for the purposes of sharing the login information. Like all accounts, these accounts are created in the "background" within Active Directory and are designated for the use of logging into accounts within your organization's network (otherwise called a Domain).
Why would I want to make a Shared Active Directory Account?
Shared accounts can provide multiple people with a singular account to share between themselves and access shared resources (such as network shares) all from one user account.
What are some Examples of Shared Accounts?
Guest - This account can typically be created for instances where anyone outside of the organization can access the computer for their own personal use. This is common in libraries and community centers.
Temp/Intern - These types of accounts may have access to some limited network resources within the organization since organizations may have many users who come and go at any one time.
Are there any drawbacks?
Yes, there are numerous drawbacks to organizing your user accounts this way.
Shared accounts by definition, means that multiple users may access resources through a singular account. This does not provide any user accountability and therefore, can make auditing an organization's technical environment a difficult process. This means that if a user signs in and does something that endangers the network, all users who share that access can be blamed and/or scrutinized, which can distract from addressing the damage that was done in a timely manner.
Shared accounts are usually linked with a shared, communal network drive that provides all users with the ability to make changes. While it is possible to fine-tune these permissions with individual users, shared accounts cannot distinguish between one user and another using the same account - again, due to not having any ability to provide accountability. While it is possible to limit the access to especially sensitive resources, a user may still get into things that are not meant for his/her eyes, simply by having to share the "space" with others. This can be a huge security concern if sensitive data needs to be kept separate from certain users.
Shared accounts also make password management a huge security concern. Because multiple users can access these accounts, passwords have to be known to more than one individual and as such, cannot be changed regularly to provide sound security practices. This can be where you'd have to write it down and leave it near a computer or make it as simple as possible, which means that its easier for an unauthorized user to crack and/or for an authorized user to access that account and its contents. Furthermore, if a former employee used to use that account and knows the password has never been changed, even when other employees have left, there isn't anything stopping them from attempting to come back to an organization and try to access resources or cause damage.
What do I need to consider before deciding to have a Shared Account?
Before moving forward with creating or asking about such accounts, ask what the purpose will be and whether it truly makes sense for your organization to have them?
How/What policies will you create to secure those accounts?
What kind of permissions will these accounts have when accessing your network's shared resources? Write Only, Read Only? In such scenarios, it would be strongly discouraged to allow Full Control, which gives the ability to delete things.
How will you make policies about Password management? What about the frequency and process of changing the Password?
What does ETTE Recommend regarding Shared Accounts?
Because we take your security very seriously, ETTE's recommendation will always be to maintain individual accounts only, with very limited, if any, shared accounts.
However, we understand that there are a few select instances where a shared account may need to happen. In such cases, we will work with you to provide the most sound processes to maintain the security of your organization's network and its contents. If you have any questions about the content you've seen here or how to secure your own shared accounts, please feel free to contact us and we'll be happy to assist you.