AD Starter Scan - Blank passwords

medium Nessus Plugin ID 150489


An account might have an empty password.


A blank password can be specified for an account with the PASSWD_NOTREQD option. This option is set through the account's UserAccountControl attribute. This is possible during account creation or when the password is reset by an administrator.

The 'User must change password at next logon' option is not affected by this issue, as it validates that when the user connects and changes his password, the password cannot be empty.

An account without a password is a highly vulnerable one. This allows an attacker to get full access to the resources of the account.

By default, this check skips disabled accounts. To also check disabled accounts, please enable thorough tests.

Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post -


Ensure that all Active Directory accounts are configured correctly regarding the use of blank passwords. In particular, no empty password should be allowed for privileged accounts.

See Also

Plugin Details

Severity: Medium

ID: 150489

File Name: adsi_blank_pwd.nbin

Version: 1.43

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 8/15/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.


Risk Factor: Medium

Base Score: 6.8

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:P

CVSS Score Source: manual


Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_users_and_groups/available