As part of our extensive research on the Kerberos authentication protocol we found that contrary to the actual aim of Kerberos and as opposed to common sense, a disabled account in Windows’ network does not take effect immediately. In fact, due to design considerations disabled accounts – and the same goes for deleted, expired and locked-out accounts – effectively remain valid up to 10 hours after they had supposedly been revoked. The consequence? So-called disabled accounts expose the corporation to advanced attackers seeking to gain access to the corporate network. Unfortunately, traditional security measures, such as logs and SIEM products – which we rely upon to alert on such misuse – do not have the proper visibility to contain this type of threat.
more here..........http://www.aorato.com/blog/windows-authentication-flaw-allows-deleteddisabled-accounts-access-corporate-data/
more here..........http://www.aorato.com/blog/windows-authentication-flaw-allows-deleteddisabled-accounts-access-corporate-data/