1. Introduction
AD Starter Scan – Blank passwords identifies Active Directory accounts that have no password set. This occurs when the PASSWD_NOTREQD option is enabled on a user account, allowing access without authentication. This poses a significant risk to confidentiality, integrity and availability as an attacker gaining access to such an account can fully compromise its resources. This vulnerability typically affects smaller Active Directory deployments with up to 5000 users.
2. Technical Explanation
The root cause is the PASSWD_NOTREQD UserAccountControl attribute being set on an account, which allows a blank password. An attacker can exploit this by directly accessing resources using the compromised account without needing to provide credentials. The ‘User must change password at next logon’ option does not prevent exploitation as it only enforces password changes upon initial connection.
- Root cause: The PASSWD_NOTREQD flag is set in the UserAccountControl attribute of an Active Directory user account.
- Exploit mechanism: An attacker can directly access resources associated with the account without a password, potentially escalating privileges if it’s a privileged account.
- Scope: This affects Active Directory environments using the PASSWD_NOTREQD option for accounts.
3. Detection and Assessment
You can confirm vulnerability by checking user account attributes in Active Directory Users and Computers (ADUC). A thorough assessment involves scanning all accounts for the PASSWD_NOTREQD flag.
- Quick checks: Open ADUC, find a user account, go to Properties > Attribute Editor, and check if ‘userAccountControl’ contains the 0x400 value (PASSWD_NOTREQD).
- Scanning: Nessus plugin ID 16395 can identify accounts with blank passwords. This is an example only; other scanners may also provide similar functionality.
- Logs and evidence: Security event logs do not directly indicate this condition, but failed login attempts from the account might be logged if access controls are in place.
dsquery user -samid | dsget user -dn -attr userAccountControl 4. Solution / Remediation Steps
Ensure all Active Directory accounts have a valid password configured, especially privileged accounts. Follow these steps to fix the issue.
4.1 Preparation
- The roll back plan is to restore from backup if issues occur.
- Changes should be made during a maintenance window with appropriate approval.
4.2 Implementation
- Step 1: Open Active Directory Users and Computers (ADUC).
- Step 2: Locate the user account with the blank password.
- Step 3: Right-click the account and select “Properties”.
- Step 4: Go to the “Attribute Editor” tab.
- Step 5: Find the attribute “userAccountControl”.
- Step 6: Uncheck the “PASSWD_NOTREQD” option (0x400). This will force a password change on next logon.
- Step 7: Repeat steps 2-6 for all affected accounts.
4.3 Config or Code Example
Before
userAccountControl: 512 (PASSWD_NOTREQD)After
userAccountControl: 66048 (Normal account, password required)4.4 Security Practices Relevant to This Vulnerability
Least privilege and regular account reviews are key practices for mitigating this issue. Least privilege limits the impact of a compromised account. Regular account reviews help identify and correct misconfigurations like blank passwords.
- Practice 1: Implement least privilege principles, granting users only the necessary permissions to perform their tasks.
- Practice 2: Conduct regular Active Directory account audits to identify accounts with weak or missing passwords.
4.5 Automation (Optional)
PowerShell can be used to automate this process. Be cautious when modifying userAccountControl attributes, as incorrect changes can lock out accounts.
# Get all users with PASSWD_NOTREQD flag set
Get-ADUser -Filter 'userAccountControl -like "*0x400*"' -Properties userAccountControl | ForEach {
$user = $_
# Clear the PASSWD_NOTREQD flag
Set-ADUser -Identity $user.SamAccountName -Replace @{userAccountControl=$($user.userAccountControl -bxor 0x400)}
}5. Verification / Validation
- Post-fix check: Open ADUC, find the modified user account, go to Properties > Attribute Editor, and confirm ‘userAccountControl’ no longer contains 0x400.
- Re-test: Re-run Nessus plugin ID 16395; it should not report any vulnerable accounts.
- Monitoring: Monitor security event logs for failed login attempts, which could indicate issues with account access.
dsquery user -samid | dsget user -dn -attr userAccountControl 6. Preventive Measures and Monitoring
Implement a strong password policy and regularly review Active Directory configurations to prevent this issue. For example, use Group Policy or Intune to enforce password complexity requirements.
- Baselines: Update your security baseline to include a requirement for all accounts to have a valid password set.
- Asset and patch process: Review Active Directory configurations quarterly as part of your regular asset management process.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Incorrectly modifying userAccountControl could lock out a user account. Mitigation: Test changes in a non-production environment first.
- Roll back: Restore Active Directory from backup if issues occur. Alternatively, re-enable the PASSWD_NOTREQD flag on affected accounts using ADUC or PowerShell.
8. References and Resources
- Vendor advisory or bulletin: https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations
- NVD or CVE entry: Not applicable for this specific configuration issue.
- Product or platform documentation relevant to the fix: Updated on December 27, 2025