What Is Active Directory Password Security?
Active Directory password security encompasses the policies, settings, and account configurations that govern how credentials are created, stored, and validated across your domain. When these controls are misconfigured, they become some of the most reliable entry points for attackers โ requiring no exploits, no zero-days, just a weak password or a cleartext credential left in a description field.
Password misconfigurations are particularly dangerous because they are quiet. No alert fires when a password never expires. No log entry is created when WDigest is enabled. Attackers enumerate these conditions silently and use them to establish footholds, escalate privileges, and persist indefinitely.
This article covers the six most critical password-related misconfigurations in Active Directory environments.
How It Works
Active Directory enforces password controls through two mechanisms: the Default Domain Password Policy (applied via Group Policy to all users) and Fine-Grained Password Policies (FGPP) (applied to specific users or groups via Password Settings Objects).
When neither is properly configured, the result is a domain where passwords are weak, old, or in some cases entirely absent. Combined with legacy authentication protocols like NTLMv1 and WDigest, this creates a credential attack surface that is trivially exploitable with freely available tools.
The Attack Chain
Step 1 - Enumerate Weak Accounts
Any authenticated domain user can query AD for accounts with weak password settings:
# Accounts with passwords that never expire
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires, PasswordLastSet |
Select-Object SamAccountName, PasswordLastSet | Sort-Object PasswordLastSet
# Accounts where no password is required
Get-ADUser -Filter {PasswordNotRequired -eq $true} -Properties PasswordNotRequired |
Select-Object SamAccountName
# Accounts with password in the description field
Get-ADUser -Filter * -Properties Description |
Where-Object {$_.Description -match "pass|pwd|mdp|mot de passe|contrasena"} |
Select-Object SamAccountName, Description
Step 2 - Check Legacy Protocol Exposure
# Check if WDigest is enabled (forces cleartext credential caching in LSASS)
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential
# Check NTLMv1 (weak NTLM version crackable offline)
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LmCompatibilityLevel
# Value 0-2 means NTLMv1 is allowed โ should be 5 (NTLMv2 only)
Step 3 - Harvest and Crack
With WDigest enabled, any attacker who reaches LSASS (via Mimikatz or similar) retrieves cleartext passwords directly โ no cracking required:
# Mimikatz โ dump cleartext credentials when WDigest is enabled
sekurlsa::wdigest
For accounts with weak or non-expiring passwords, the attacker can spray or brute-force offline after a hash dump:
# Hashcat โ NTLM hash spray
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
Step 4 - Persistence Through Never-Expiring Accounts
Accounts with PasswordNeverExpires are long-term persistence targets. Once compromised, the attacker's access survives indefinitely โ no rotation will expire the account unless IT manually resets it.
Detection
Windows Event IDs
| Event ID | Source | What to Look For |
|---|---|---|
| 4723 | DC - Security | Password change attempt โ monitor for failures on sensitive accounts |
| 4724 | DC - Security | Admin password reset โ unexpected resets on privileged accounts |
| 4738 | DC - Security | Account modified โ PasswordNeverExpires flag changed |
| 4771 | DC - Security | Kerberos pre-auth failed โ repeated failures may indicate spraying |
Behavioral Anomalies
- Accounts with passwords older than 1 year โ especially service accounts and admin accounts
- Description fields containing credential-like strings โ often left by IT during provisioning
- WDigest enabled on domain controllers or workstations โ should never be enabled on modern environments
- NTLMv1 traffic โ visible in network captures and Netlogon logs
SIEM Detection Query (Elastic KQL)
# Detect NTLMv1 usage
event.code: "4624" AND
winlog.event_data.LmPackageName: "NTLM V1"
Remediation
๐ก Quick Win: Audit all accounts with
PasswordNeverExpiresandPasswordNotRequiredtoday. These are free wins โ no infrastructure change required.
1. Enforce a Strong Domain Password Policy
# Set minimum password length to 14, enforce complexity, 90-day max age
Set-ADDefaultDomainPasswordPolicy -Identity corp.local `
-MinPasswordLength 14 `
-ComplexityEnabled $true `
-MaxPasswordAge (New-TimeSpan -Days 90) `
-MinPasswordAge (New-TimeSpan -Days 1) `
-PasswordHistoryCount 24
2. Fix Non-Expiring Passwords
# Report all accounts with PasswordNeverExpires
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} |
Set-ADUser -PasswordNeverExpires $false
โ ๏ธ Warning: Service accounts with
PasswordNeverExpiresmay break if rotated without updating the service. Use gMSA accounts instead โ they handle rotation automatically.
3. Fix Accounts Without a Required Password
Get-ADUser -Filter {PasswordNotRequired -eq $true} | ForEach-Object {
Set-ADAccountControl -Identity $_ -PasswordNotRequired $false
}
4. Remove Passwords from Description Fields
# Find and clear suspicious descriptions
Get-ADUser -Filter * -Properties Description |
Where-Object {$_.Description -match "pass|pwd|mdp"} | ForEach-Object {
Set-ADUser -Identity $_ -Description ""
Write-Host "Cleared description for: $($_.SamAccountName)"
}
5. Disable WDigest
# Disable WDigest cleartext credential caching
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
-Name UseLogonCredential -Value 0
Deploy via GPO for all machines:
Computer Configuration > Administrative Templates > MS Security Guide > WDigest Authentication = Disabled
6. Enforce NTLMv2 Only
# Set LAN Manager authentication level to NTLMv2 only
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
-Name LmCompatibilityLevel -Value 5
Or via GPO: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM & NTLM
How EtcSec Detects This
EtcSec audits every password-related control in your Active Directory environment automatically.
PASSWORD_NEVER_EXPIRES flags all enabled accounts with non-expiring passwords, prioritized by account sensitivity (admin accounts first).
PASSWORD_POLICY_WEAK evaluates your Default Domain Password Policy against current security standards โ minimum length, complexity, history, and maximum age.
PASSWORD_NOT_REQUIRED identifies accounts where the PASSWD_NOTREQD flag is set โ a direct path to authentication bypass.
PASSWORD_IN_DESCRIPTION scans all AD object descriptions for credential-like strings โ a common provisioning mistake that turns into a critical exposure.
WDIGEST_ENABLED checks registry settings across domain controllers for WDigest cleartext credential storage.
NTLMV1_ALLOWED verifies that LAN Manager authentication is configured to reject NTLMv1 responses domain-wide.
โน๏ธ Note: EtcSec checks all of these automatically in every AD audit. Run a free audit to see your full password security posture.
Related articles: Kerberoasting: How Attackers Crack Service Account Passwords | AS-REP Roasting: Harvesting Hashes Without Credentials
