AD Starter Scan - Non-Expiring Account Password

medium Nessus Plugin ID 150483

Synopsis

Accounts with never expiring passwords

Description

Active Directory accounts can be configured to escape global password renewal policies. Accounts set up like this can be used indefinitely without ever changing their password. User and administrator accounts should never have this attribute set.

By default, this check skips disabled accounts. To also check disabled accounts, please enable thorough tests.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

A password expiration policy limits the risk of an attacker guessing or cracking a password before it is changed. All the user accounts and administrator accounts must follow this policy without exception.

Service accounts can be more difficult to deal with: if a password expires and it has not been taken into account by the application developer, the service might stop functioning. A special procedure must then be written to allow for a manual password change on a regular basis.

See Also

http://www.nessus.org/u?3acc23a3

http://www.nessus.org/u?f721fda2

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: Medium

ID: 150483

File Name: adsi_account_pwd.nbin

Version: 1.43

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 8/15/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 4.1

Vector: AV:L/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 4.5

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_users_and_groups/available