Dump AD Users Objects With ?Password Never Expires’, ?Store Password Using Reversible Encrypti
UserAccountControl is one of the most important attributes of the user and computer objects in Active Directory. This attribute determines the state of the account in the AD domain: whether the account is active or locked out, whether the option of password change at the next logon is enabled, whether users can change their passwords, etc. However, not all administrators are fully aware of how the UserAccountControl attribute works and what it is used for in AD (adsbygoogle = window.adsbygoogle ).push();
Dump AD Users objects with ‘Password never expires’, ‘Store password using reversible encrypti
The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the Set-ADSyncAADPasswordSyncConfiguration cmdlet.
If there are synchronized users that only interact with Azure AD integrated services and must also comply with a password expiration policy, you can force them to comply with your Azure AD password expiration policy by enabling the EnforceCloudPasswordPolicyForPasswordSyncedUsers feature.
If the user has the option "Password never expires" set in Active Directory (AD), the force password change flag will not be set in Active Directory (AD), so the user will not be prompted to change the password during the next sign-in.
If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. We recommend using a scheduled PowerShell script that disables users' AD accounts, once they expire (use the Set-ADUser cmdlet). Conversely, during the process of removing the expiration from an AD account, the account should be re-enabled.
When you install Azure AD Connect by using the Express Settings option, password hash synchronization is automatically enabled. For more information, see Getting started with Azure AD Connect using express settings.
The Store password using reversible encryption policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable Store password using reversible encryption for all users in the domain unless application requirements outweigh the need to protect password information.
Set the value for Store password using reversible encryption to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to Enabled. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
This security setting determines whether the password is stored using reversible encryption. If a password is stored using reversible encryption, then it becomes easier to decrypt the password. This setting is useful in certain cases, where an application or service requires the username and password of a user to perform certain functions. This setting should be enabled, only if it is necessary. By default, this setting is disabled.
For an account that stores the password using reversible encryption, the account properties in Active Directory Users and Computers (ADUC) may show the box checked for Store password using reversible encryption. It looks like this:
If you want the excruciating detail about the syntax of this command, scroll down to the section at the bottom titled In the Weeds. Otherwise, suffice it to say that the above command will get you all the accounts that have been configured to store passwords using reversible encryption.
So the big question is why. Why would there be a need to store credentials in this manner? The answer is that some applications require it. So Microsoft has provided a mechanism for applications that need to know user password values to force storage of reversibly-encrypted passwords in order to authenticate users. The applications that I know about that require reversible encryption are MS CHAP, SASL Digest Authentication, older MacOS hosts that need to authenticate to a Windows domain. There are also very possibly other third-party apps that use it as well.
I promised some more details on the command syntax shown above. As a refresher, here is the command to extract users whose passwords are stored using reversible encryption from Active Directory using PowerShell:
In order to find users with non-expiring passwords, we can use again the LDAPDomainDump tool mentioned earlier. All we need is a low privileged domain user credentials and the ability to reach LDAP port of any domain controller.
In any case, passwords should never be stored in a plain text. This vulnerability gives attackers who compromised the AD domain (e.g. APTs) and highly privileged insiders (e.g. domain administrators) instant access to plain text passwords of affected users.
This PowerShell script scans through AD for all users who have a password expiring in a number of days that are configured in the script. This can be a single number of days out, or multiple different days. The script as is will send an email on 10, 5, and 1 day until the password expires. It uses the email address stored in AD to generate the email to the user. After all the emails have been sent out a list is sent to a specified email address listing all of the users.
BitLocker uses the Trusted Platform Module (TPM) on devices to store the encryption key for the device. If the drive is removed from the motherboard, the drive remains encrypted. For enhanced authentication, you can enable an encryption PIN to boot the system. You can also require a password for devices when a TPM is not available.
The Workspace ONE Intelligent Hub for Windows prompts your users to create password to access and use the drives. The minimum length of that password can be set by the admin in the console under the BitLocker To Go Settings. When users plug the encrypted drive into the Windows device, they use their password to access the drive, copy content to the drive, edit files, delete content, or any other task performed with removable drives. The admin can also select if they would like to encrypt only used space on the drive or the total drive.
Windows Hello provides a secure alternative to using passwords for security. The Windows Hello profile configures Windows Hello for Business for your Windows Desktop devices so end users can access your data without sending a password.
Passwords should not be stored using reversible encryption - secure password hashing algorithms should be used instead. The Password Storage Cheat Sheet contains further guidance on storing passwords.
Next is a setting that allows the administrator to exempt this account fromthe password-expiration rule. Most organizations want their users to changetheir passwords regularly (every 60 days, for example) so that if a password hasbeen compromised, its useful period to gain access to the network is limited.The exception to this rule is for service accounts. A service account is used sothat applications, such as Microsoft Exchange and Microsoft SQL Server, haveaccess to network resources. These applications expect the password to never bechanged, or if it is changed, the change must be performed using the managementtool for the application, and not through the ADUC.
Once the template has been created, all you have to do to create a new userwith the same characteristics is right-click the template account and chooseCopy. You enter the username, user ID, and password of the specific user, andthe resulting account has both the specific information for an actual user andthe necessary ancillary information applicable to all users in the group becausemost of it was already entered into fields in the template account.
When you have a basic Active Directory domain that's running at the Windows Server 2008 Domain Functional Level, the Account Policies for all domain users behave the exact same way they always have. A Windows Server 2008 or Windows Server 2008 R2 Active Directory domain, without FGPPs implemented, has the following characteristics for passwords affecting domain users:
If you lock out accounts after a certain number of logon failures, you expect the account to remain locked out until the time period you define in your security policy expires. A bug in how the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in implements account changes causes the snap-in to clear the locked-out flag when you change the Password never expires or the Store password using reversible encryption account attributes. If you modify either of these fields, save the changes, and restart the snap-in, you'll see that the account is unlocked, even though you didn't clear this field. On October 3, Microsoft released a new version of dsprop.dll as a bug fix for this problem. You can obtain the update only from Microsoft Product Support Services (PSS); quote the Microsoft article "Locked User Account Is Unlocked If You Change Account Options".
Alternatively, you can enable reversible storage of passwords for individual users. By using the Directory Services snap-in, you can select this feature through the properties of an individual user. Again, note that reversibly encrypted passwords are saved during the change-password procedure, so existing users must change their passwords to use CHAP.