• Inactive – account has not logged on or changed the password in over 180 days which may flag this account as inactive/stale – Accounts known to be inactive should be disabled.
• Reversible encryption – effectively clear-text on DCs – there’s no reason for this to be set.
• Password not required – account may not have an associated password – possibly set by provisioning system – There’s no reason for this to be set. * Password never expires – password very likely to be old – should not be set on standard user accounts.
• Kerberos DES encryption enabled – DES is a weaker encryption method which enables faster password brute-forcing. There’s no reason for this to be set.
• Account does not require Kerberos pre-authentication – enables a trivial attack method for discovering the account’s password (AS-REProasting). May have been set for a compatibility issue with an application. Kerberos pre-authentication should always be required.
• Account cannot change password – password may not change. Standard user accounts should not have this set. Attackers will look for these configurations, so best to review and adjust regularly. Admin accounts and service accounts require additional protection above and beyond standard user accounts.

PowerShell code (using Active Directory PowerShell module):
https://github.com/PyroTek3/Misc/blob/main/Get-VulnerableUserAccounts.ps1

(Visited 15 times, 15 visits today)

Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8