AD Starter Scan - Blank passwords

medium Nessus Plugin ID 150489


An account might have an empty password.


A blank password can be specified for an account with the PASSWD_NOTREQD option. This option is set through the account's UserAccountControl attribute. This is possible during account creation or when the password is reset by an administrator.

The 'User must change password at next logon' option is not affected by this issue, as it validates that when the user connects and changes his password, the password cannot be empty.

An account without a password is a highly vulnerable one. This allows an attacker to get full access to the resources of the account.

By default, this check skips disabled accounts. To also check disabled accounts, please enable thorough tests.

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post -


Ensure that all Active Directory accounts are configured correctly regarding the use of blank passwords. In particular, no empty password should be allowed for privileged accounts.

See Also

Plugin Details

Severity: Medium

ID: 150489

File Name: adsi_blank_pwd.nbin

Version: 1.92

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 4/15/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.


Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:P

CVSS Score Source: manual


Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: ldap_enum_person/available