Detect unused active Windows accounts (QID 105234)

This topic includes information about the detection details for QID 105234, which identifies unused active Windows accounts.
The QID 105234 (Unused Active Windows Accounts Found) identifies active user accounts that have never logged on to the system.

To detect QID 105234, the scanner enumerates user accounts using the SamrEnumerateUsersInDomain() Windows MS-RPC call, as documented in MS-SAMR on MSDN. It then reads the LastLogon value for each account. If the value is 0, the scanner flags the account as unused and posts the QID.

The LastLogon value is updated only during interactive logins.

Because QID 105234 is flagged based on responses to MS-RPC calls, it may also be reported on Unix systems running Samba. However, Samba does not always update the LastLogon value when a user logs in. As a result, Qualys may still flag the QID if the LastLogon value returned during the scan is 0. To know more about this behavior, see Samba Bug 11659.

To avoid false positives, ensure that Samba is configured to update the LastLogon value correctly during user logins.

In standalone file server mode, Samba does not directly manage user logins. In this configuration, Samba provides file sharing and authentication by using local user accounts. However, it does not maintain full login information or status updates, as a domain controller does. As a result, the LastLogon value may not be updated that can affect QID 105234 detection.

Because Samba does not process true logon events in standalone mode, it does not update the LastLogon field when users access shares. As a result, QID 105234 may be flagged because the scanner cannot distinguish between Samba running as a standalone server and as a domain member.

In standalone server mode, Samba authenticates users by using local accounts but does not update the LastLogon value. As a result, the value may not reflect actual login activity. To know more about setting up Samba as a Standalone Server, see the official Samba wiki page.