1. Introduction
AD Starter Scan identifies Active Directory accounts with passwords that never expire. This means these accounts are not subject to regular password changes, increasing the risk of compromise if an attacker gains access. These misconfigurations typically affect user and administrator accounts within smaller Active Directory deployments. A successful attack could lead to confidentiality, integrity, and availability loss.
2. Technical Explanation
Active Directory allows administrators to configure accounts to bypass global password renewal policies. This is often done for service accounts but should never be applied to user or administrator accounts. An attacker who compromises an account with a non-expiring password has persistent access until the password is manually changed.
- Root cause: Accounts are configured with the “Password Never Expires” attribute set in Active Directory.
- Exploit mechanism: An attacker gains control of an account and maintains access indefinitely, potentially escalating privileges or exfiltrating data.
- Scope: Windows domain controllers running Active Directory.
3. Detection and Assessment
You can confirm vulnerable accounts using PowerShell or by reviewing Nessus scan results.
- Quick checks: Use PowerShell to list accounts with the PasswordNeverExpires flag set.
- Scanning: Nessus plugin ID 16283 (AD Starter Scan – Non-Expiring Account Password).
- Logs and evidence: Review Active Directory event logs for changes to the “PasswordNeverExpires” attribute on user or administrator accounts.
Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -Properties PasswordNeverExpires | Select SamAccountName, PasswordNeverExpires4. Solution / Remediation Steps
Implement a password expiration policy and ensure all user and administrator accounts adhere to it.
4.1 Preparation
- Consider a change window for wider impact. Roll back by restoring the AD backup if needed.
4.2 Implementation
- Step 1: Open Group Policy Management (gpmc.msc).
- Step 2: Edit the Default Domain Policy or create a new policy linked to your domain.
- Step 3: Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
- Step 4: Ensure “Maximum password age” is set to a value less than never (e.g., 90 days).
- Step 5: Enforce the policy by running `gpupdate /force` on domain controllers and client machines.
4.3 Config or Code Example
Before
Maximum password age: Not setAfter
Maximum password age: 90 days4.4 Security Practices Relevant to This Vulnerability
Implement least privilege and enforce a strong password policy across your Active Directory environment.
- Practice 1: Least privilege reduces the impact of compromised accounts.
- Practice 2: A strong password policy, including regular expiration, limits the window for attackers to exploit stolen credentials.
4.5 Automation (Optional)
# PowerShell script to disable PasswordNeverExpires on all users
Get-ADUser -Filter * | Where-Object {$_.PasswordNeverExpires -eq $true} | Set-ADUser -PasswordNeverExpires $false5. Verification / Validation
Confirm the fix by verifying that no accounts have the “PasswordNeverExpires” flag set and that password changes are enforced.
- Post-fix check: Run `Get-ADUser -Filter ‘PasswordNeverExpires -eq $true’ -Properties PasswordNeverExpires | Select SamAccountName, PasswordNeverExpires` and confirm no results are returned.
- Re-test: Re-run the Nessus scan (plugin ID 16283) to verify that no vulnerable accounts are reported.
Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -Properties PasswordNeverExpires | Select SamAccountName, PasswordNeverExpires6. Preventive Measures and Monitoring
Update security baselines to include a password expiration policy and monitor Active Directory event logs for unauthorized changes to account attributes.
- Baselines: Include a requirement for password expiration in your Active Directory security baseline.
- Pipelines: Integrate checks into your CI/CD pipeline to ensure new accounts are created with appropriate settings.
- Asset and patch process: Regularly review Active Directory configurations for compliance with security policies.
7. Risks, Side Effects, and Roll Back
Changing the password policy may require users to reset their passwords, potentially causing disruption.
- Risk or side effect 1: User inconvenience due to forced password resets. Communicate changes in advance.
8. References and Resources
- Vendor advisory or bulletin: https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations
- NVD or CVE entry: Not applicable for this specific configuration issue.