AD Sec Assessment - Require computer accounts to have a password

Posted by maxcoder88@reddit | sysadmin | View on Reddit | 8 comments

Hi,

During a recent vulnerability/pentest it was discovered that we have a few AD computer objects that don't have any password assigned to them.

Is it sufficient to right-click on the relevant computer objects here and reset the account?

Additionally, will there be any negative effects after resetting the account on these computer objects?

[-]

Cormacolinde@reddit

Euh that shouldn’t be possible. Computer accounts literally cannot connect to AD without a password. Those are possibly virtual objects or unused accounts. I would check what they might be for and disable them.

[-]

Substantial_Crazy499@reddit

Pre win2k compatibility group with anonymous logon added will do that :)

[-]

Cormacolinde@reddit

Thanks, you just gave me an aneurysm.

[-]

RainStormLou@reddit

hire a better pentester that can explain their findings and provide suggested resolutions.

how many is a few? what are they?

[-]

Anticept@reddit

Those accounts will be unusable without a password. The most foundational Kerberos encryption runs on encrypting tickets with password hashes.

[-]

bageloid@reddit

https://trustedsec.com/blog/diving-into-pre-created-computer-accounts

Check if they are pre-created computer accounts, if so they may have the password not required flag set until you actually join a workstation with that name.

[-]

picklednull@reddit

When you ”reset the password” for a computer account, it’s set to the name of the account in lowercase. I think it’s impossible to actually have a blank password?

[-]

mikecel79@reddit

Pretty sure someone resetting the computer account is what caused it to have no password in the first place. If there aren’t actual devices using these accounts you should disable or delete them.