- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
The importance of strong passwords
Microsoft repeatedly asserts its desire to eliminate authentication using username and password. Hence, under the label "Modern Authentication," the manufacturer offers several alternative methods for Azure AD ("Entra ID").
In purely local AD environments, however, the vast majority of users still log in using a password, underscoring the necessity for strong passwords.
Set password criteria via policy
Active Directory has a policy outlining the criteria that a password must satisfy within a domain. If the password does not adhere to these criteria, it may be rejected during a password change attempt. If a single password policy for the entire domain is insufficient, system administrators can create a fine-grained password policy for specific users or groups.
The capabilities of AD password policies are confined to fixed complexity requirements and the specification of a minimum length. However, employees may still use their company name or easily guessed terms.
Password policy settings
The setting for the maximum age of a password is losing significance since Microsoft has been advising against enforcing regular password changes in its Security Baseline for some time. This aligns with recommendations from organizations such as NIST, which recommends eliminating time-based password resets in SP 800-63b.
Regular checks are advisable
Since Active Directory offers only limited protection against the use of weak passwords, it is advisable to check all accounts using an external tool regularly. Enzoic for Active Directory Lite, which is offered for free, is specifically designed for this purpose. Not only does this helpful tool evaluate password strength, but it also generates reports based on various criteria.
If an online shop is hacked, the stolen passwords will eventually be sold on the Dark Web. Attackers often use these lists of compromised passwords to gain access to accounts.
In such a situation, it can be disastrous if users use the same passwords for both personal and business purposes.
Enzoic has a dedicated team of threat researchers who use a combination of human expertise and automated intelligence to promptly gather all compromised passwords that surface on the Dark Web and store them in a database. Enzoic uses this database of compromised passwords to identify users in your Active Directory who use these passwords.
The comparison uses hashes, as the passwords in Active Directory are not stored in plain text. Enzoic checks passwords against compromised credentials applying a partial hash comparison, ensuring both secure verification and confidentiality by only transmitting a segment of the hash for analysis.
Accounts without a password
Accounts with blank passwords obviously pose a security risk, especially if they have extensive permissions. With the help of a report, admins can easily identify these accounts and then either deactivate the accounts or force users to change the password at the next login.
Find reused passwords
If multiple accounts use the same password that has possibly been compromised, such an environment is particularly susceptible to password spraying, a technique that involves attackers trying the same password on many users. This poses a significant risk, as password spraying is often the precursor to lateral movement, where an attacker explores the network to escalate privileges.
Employees who own multiple accounts tend to use the same password everywhere for convenience. Obviously, this behavior is especially problematic for admin accounts. Enzoic for Active Directory Lite allows organizations to remediate this risk by detecting accounts with shared passwords.
Passwords that never expire
The tool identifies users who, in accordance with Microsoft and NIST recommendations, do not require password changes. However, after a security incident, it is important for all users to change their passwords, including accounts with passwords that have unlimited validity.
Conversely, many companies still require regular password changes as part of their security strategy. This report identifies exempted accounts.
The tool offers additional reports that do not directly serve password security but help system administration to harden Active Directory.
Administrator Accounts: This report displays all identified accounts with administrative rights. It seems the tool does not only examine the group memberships of accounts but also relies on the adminCount attribute. This attribute often still contains the value 1, after an account has been removed from an administrators group.
Inactive Accounts: If a user has not logged in for an extended period, their account can be deactivated or deleted to reduce the risk of cyberattacks.
Export of reports
The user-friendly report interface features a button allowing for easy switching between results. Additionally, you have the option to export reports in either CSV or PDF formats. For CSV exports, you can select to export individual reports or aggregate all reports into one. For PDF exports, you can choose between a detailed version or a summary of the report(s).
For partners, resellers, and MSPs, these reports represent an opportunity to augment their services by offering step-by-step instructions for remediating security risks.
If you run the tool under another (privileged) account, the reports are located on the desktop of the account used for authentication, not the current user. Opening the reports via the displayed link doesn't work in this case, and you have to open the exported report manually.
Installation and availability
Enzoic for Active Directory Lite can be downloaded from the manufacturer's website after registration. Installing the roughly 9 MB package is straightforward and can be completed within minutes.
Enzoic's free tool simplifies password auditing for AD admins. In addition to identifying weak passwords, it detects compromised passwords on the Dark Web or those shared by multiple users.
The reports also provide insights into accounts with empty passwords, administrative permissions, and non-expiring passwords. Additionally, admins can access a summary of inactive accounts, streamlining Active Directory.
Subscribe to 4sysops newsletter!
The seamless interface, coupled with report export capabilities, make Enzoic Active Directory Lite a valuable asset not just for businesses but also for partners, resellers, and MSPs.