๐ Secure Bits ๐ก
Do you know what ๐ฃ๐๐ฆ๐ฆ๐ช๐_๐ก๐ข๐ง๐ฅ๐๐ค๐ means ?
๐ This attribute allows an account to have an empty password, even if your password policy is enforced. But before you panicโitโs not as bad as it sounds.
โ
๐๐ฒ๐ฟ๐ฒโ๐ ๐ต๐ผ๐ ๐ถ๐ ๐๐ผ๐ฟ๐ธ๐:
A user must have their password manually set to empty at account creation or reset. User can’t just press CTRL-ALT-DEL and change the password to empty.
๐จ ๐ง๐ต๐ฒ ๐ฟ๐ฒ๐ฎ๐น ๐ฝ๐ฟ๐ผ๐ฏ๐น๐ฒ๐บ?
During security assessments, I often find PASSWD_NOTREQD enabled for ๐๐ผ๐ฝ ๐บ๐ฎ๐ป๐ฎ๐ด๐ฒ๐ฟ๐ ๐ฎ๐ป๐ฑ ๐๐๐ข๐โwithout any clear reason. Sometimes, IDM tools set this flag, but in many cases, itโs just a misconfiguration waiting to be exploited.
๐ก ๐๐ผ๐ ๐๐ผ ๐ฐ๐ต๐ฒ๐ฐ๐ธ ๐๐ผ๐๐ฟ ๐๐ ๐ณ๐ผ๐ฟ ๐๐ต๐ถ๐ ๐ฟ๐ถ๐๐ธ?
Run this PowerShell command to identify accounts with this attribute:
Get-ADUser -LDAPFilter ‘(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))’ -Properties Name, UserPrincipalName | Select-Object Name, UserPrincipalName
Or, use ๐๐ ๐ฃ๐ฟ๐ผ๐ฏ๐ฒ (my tool) to scan for it automatically.
Have you checked your environment for this misconfiguration? Letโs discuss ๐
