H3-2023-0030¶

Active Directory - User Password Not Required

Description¶

User objects within Active Directory have attributes that can be added/deleted/edited by a privileged user. The userAccountControl attribute has a PASSWD_NOTREQD flag that, if set, allows a user to not have a password. However, this does not mean the user actually has a blank password – just that it is possible.

Impact¶

An authenticated user could discover an enabled user with the PASSWD_NOTREQD flag set and might be able to log in as that user without a password.

References¶

• Microsoft - Understanding and Remediating "PASSWD_NOTREQD"
• Microsoft - Querying UserAccountControl Configurations
• Bloodhound - User Node Properties