AD Starter Scan - Blank passwords

medium Nessus Plugin ID 150489
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An account might have an empty password.

Description

A blank password can be specified for an account with the PASSWD_NOTREQD option. This option is set through the account's UserAccountControl attribute. This is possible during account creation or when the password is reset by an administrator.

The 'User must change password at next logon' option is not affected by this issue, as it validates that when the user connects and changes his password, the password cannot be empty.

An account without a password is a highly vulnerable one. This allows an attacker to get full access to the resources of the account.

By default, this check skips disabled accounts. To also check disabled accounts, please enable thorough tests.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations

Solution

Ensure that all Active Directory accounts are configured correctly regarding the use of blank passwords. In particular, no empty password should be allowed for privileged accounts.

See Also

http://www.nessus.org/u?097f9439

http://www.nessus.org/u?d5c4c81f

Plugin Details

Severity: Medium

ID: 150489

File Name: adsi_blank_pwd.nbin

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 9/20/2021

Dependencies: adsi_enum.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:P

CVSS v3

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_users_and_groups/available