In my organisation, we run numerous applications and databases on our network, including SAP. We run Active directory, XP on the desk tops and Windows 2003. We have implemented single sign on for SAP.

When, people leave, our User Management Team deactivate their network access, but do not deactivate the users application accounts, arguing that to do so would mean additional work, and the users need a network account to access the applications in the first place, so it doesn't matter.

Have you any views on the security implications, or any other (licensing?), of leaving active accounts on applications? is there any guidance on Best Practise out there that I can quote to them? :?

I've long fought with IT people about this same issue and it always comes down to laziness. Let me tell you a fun little story.

Once there was a big mean auditor who suggested that application access security was very important and that not deactivating both network and application access was a risk. They didn't want to for cost reasons and pure laziness.

Two years later, it was found that a 'terminated' employee had accessed the application and altered the financial statements materially by changing some of the default estimation data points. Whoops! IT couldn't figure it out. They found a desktop had been used that was always left on. This eliminated the need for network access. A current employee had logged in using the terminated employee's old ID and password and made the untracable changes. No one ever knew who did it and it affected 2 quarters of data.

I've heard other stories of hacking or social engineering gaining network access and then the open accounts were guessed and cracked to get into the application.

The question always is 'What are you trying to protect?' It either matters or it doesn't. If the risk of compromised data is less than the cost to protect it, than forget about it. If the data matters, then protect it. Any best practices literature on application security will detail this.