Update README.md
This commit is contained in:
27
README.md
27
README.md
@@ -67,90 +67,107 @@ It should, as it is extremely sensitive operation that should never happen outsi
|
|||||||
---
|
---
|
||||||
|
|
||||||
## Weak password report
|
## Weak password report
|
||||||
|
This section explains in detail individual parts of weak password report.
|
||||||
|
|
||||||
1. Reversible Encryption:
|
1. Reversible Encryption:
|
||||||
* ****Explanation:**** Accounts have passwords stored in a reversible format that can be decrypted.
|
* ****Explanation:**** Accounts have passwords stored in a reversible format that can be decrypted.
|
||||||
* **Risk Assessment:** High. Decrypted passwords can be misused easily.
|
* **Risk Assessment:** High. Decrypted passwords can be misused easily.
|
||||||
* **Possible Cause:** Legacy applications requiring plaintext password equivalents.
|
* **Possible Cause:** Legacy applications requiring plaintext password equivalents.
|
||||||
* **Use:** Compatibility with older applications.
|
* **Use:** Compatibility with older applications.
|
||||||
* **Remediation:** Disable reversible encryption through Group Policy ("Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Store passwords using reversible encryption").
|
* **Remediation:** Disable reversible encryption through Group Policy ("Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Store passwords using reversible encryption").
|
||||||
|
|
||||||
2. LM Hashes Present:
|
2. LM Hashes Present:
|
||||||
* **Explanation:** Use of outdated LAN Manager (LM) hashes for storing passwords.
|
* **Explanation:** Use of outdated LAN Manager (LM) hashes for storing passwords.
|
||||||
* **Risk Assessment:** Very High. LM hashes are easily cracked.
|
* **Risk Assessment:** Very High. LM hashes are easily cracked.
|
||||||
* **Possible Cause:** Historical default settings for older Windows systems.
|
* **Possible Cause:** Historical default settings for older Windows systems.
|
||||||
* **Use:** Compatibility with legacy clients or systems.
|
* **Use:** Compatibility with legacy clients or systems.
|
||||||
* **Remediation:** Disable LM hash storage via Group Policy ("Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Do not store LAN Manager hash value on next password change").
|
* **Remediation:** Disable LM hash storage via Group Policy ("Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Do not store LAN Manager hash value on next password change").
|
||||||
|
|
||||||
3. Accounts with No Password:
|
3. Accounts with No Password:
|
||||||
* **Explanation:** Accounts are configured without a password.
|
* **Explanation:** Accounts are configured without a password.
|
||||||
* **Risk Assessment:** Extremely High. Accounts are accessible without authentication.
|
* **Risk Assessment:** Extremely High. Accounts are accessible without authentication.
|
||||||
* **Possible Cause:** Oversight or initial setup convenience.
|
* **Possible Cause:** Oversight or initial setup convenience.
|
||||||
* **Use:** Automated scripts or systems needing easy access.
|
* **Use:** Automated scripts or systems needing easy access.
|
||||||
* **Remediation:** Ensure all accounts have strong passwords. Disable unnecessary accounts.
|
* **Remediation:** Ensure all accounts have strong passwords. Disable unnecessary accounts.
|
||||||
|
|
||||||
4. Passwords Found in Dictionary:
|
4. Passwords Found in Dictionary:
|
||||||
* **Explanation:** Accounts use weak passwords found in common dictionaries.
|
* **Explanation:** Accounts use weak passwords found in common dictionaries.
|
||||||
* **Risk Assessment:** High. Dictionary attacks can easily guess these passwords.
|
* **Risk Assessment:** High. Dictionary attacks can easily guess these passwords.
|
||||||
* **Possible Cause:** Lack of strong password policies.
|
* **Possible Cause:** Lack of strong password policies.
|
||||||
* **Use:** User convenience and easy recall.
|
* **Use:** User convenience and easy recall.
|
||||||
* **Remediation:** Implement and enforce strong password policies, use password filter DLLs.
|
* **Remediation:** Implement and enforce strong password policies, use password filter DLLs.
|
||||||
|
|
||||||
|
|
||||||
5. Same Passwords for Multiple Accounts:
|
5. Same Passwords for Multiple Accounts:
|
||||||
* **Explanation:** Multiple accounts share the same password.
|
* **Explanation:** Multiple accounts share the same password.
|
||||||
* **Risk Assessment:** High. Compromise of one account leads to multiple breaches.
|
* **Risk Assessment:** High. Compromise of one account leads to multiple breaches.
|
||||||
* **Possible Cause:** Administrative convenience.
|
* **Possible Cause:** Administrative convenience.
|
||||||
* **Use:** Simplified management across services.
|
* **Use:** Simplified management across services.
|
||||||
* **Remediation:** Establish unique passwords for each account, audit for password uniqueness.
|
* **Remediation:** Establish unique passwords for each account, audit for password uniqueness.
|
||||||
|
|
||||||
6. SamAccountName as Password:
|
6. SamAccountName as Password:
|
||||||
* **Explanation:** Usernames are used as passwords.
|
* **Explanation:** Usernames are used as passwords.
|
||||||
* **Risk Assessment:** High. Easy to guess and compromise.
|
* **Risk Assessment:** High. Easy to guess and compromise.
|
||||||
* **Possible Cause:** Rudimentary security setup.
|
* **Possible Cause:** Rudimentary security setup.
|
||||||
* **Use:** Lowering barriers for user access.
|
* **Use:** Lowering barriers for user access.
|
||||||
* **Remediation:** Prohibit this practice through user education and strict password policies.
|
* **Remediation:** Prohibit this practice through user education and strict password policies.
|
||||||
|
|
||||||
7. Computer Accounts with Default Passwords:
|
7. Computer Accounts with Default Passwords:
|
||||||
* **Explanation:** Computer accounts use default passwords.
|
* **Explanation:** Computer accounts use default passwords.
|
||||||
* **Risk Assessment:** High. Default passwords are widely known.
|
* **Risk Assessment:** High. Default passwords are widely known.
|
||||||
* **Possible Cause:** Incomplete setup or bulk deployments.
|
* **Possible Cause:** Incomplete setup or bulk deployments.
|
||||||
* **Use:** Streamlined initial setup.
|
* **Use:** Streamlined initial setup.
|
||||||
* **Remediation:** Reset all default passwords to strong, unique ones.
|
* **Remediation:** Reset all default passwords to strong, unique ones.
|
||||||
|
|
||||||
8. Missing Kerberos AES Keys:
|
8. Missing Kerberos AES Keys:
|
||||||
* **Explanation:** Accounts lack AES keys for Kerberos, falling back to weaker encryption.
|
* **Explanation:** Accounts lack AES keys for Kerberos, falling back to weaker encryption.
|
||||||
* **Risk Assessment:** Moderate to High. Weakens Kerberos authentication.
|
* **Risk Assessment:** Moderate to High. Weakens Kerberos authentication.
|
||||||
* **Possible Cause:** Incomplete updates or migrations.
|
* **Possible Cause:** Incomplete updates or migrations.
|
||||||
* **Use:** Compatibility with older systems.
|
* **Use:** Compatibility with older systems.
|
||||||
* **Remediation:** Enable AES encryption for Kerberos in account properties and domain policies.
|
* **Remediation:** Enable AES encryption for Kerberos in account properties and domain policies.
|
||||||
|
|
||||||
9. No Kerberos Pre-Authentication Required:
|
9. No Kerberos Pre-Authentication Required:
|
||||||
* **Explanation:** Accounts can request authentication data without pre-authentication.
|
* **Explanation:** Accounts can request authentication data without pre-authentication.
|
||||||
* **Risk Assessment:** High. Facilitates offline brute-force attacks.
|
* **Risk Assessment:** High. Facilitates offline brute-force attacks.
|
||||||
* **Possible Cause:** Troubleshooting or legacy system compatibility.
|
* **Possible Cause:** Troubleshooting or legacy system compatibility.
|
||||||
* **Use:** Avoiding issues with older clients.
|
* **Use:** Avoiding issues with older clients.
|
||||||
* **Remediation:** Enable Kerberos pre-authentication for all accounts via account properties.
|
* **Remediation:** Enable Kerberos pre-authentication for all accounts via account properties.
|
||||||
|
|
||||||
10. Only DES Encryption Allowed:
|
10. Only DES Encryption Allowed:
|
||||||
* **Explanation:** Accounts are restricted to using DES encryption.
|
* **Explanation:** Accounts are restricted to using DES encryption.
|
||||||
* **Risk Assessment:** Very High. DES is weak and easily compromised.
|
* **Risk Assessment:** Very High. DES is weak and easily compromised.
|
||||||
* **Possible Cause:** Retained settings from when DES was standard.
|
* **Possible Cause:** Retained settings from when DES was standard.
|
||||||
* **Use:** Ensuring functionality of older applications.
|
* **Use:** Ensuring functionality of older applications.
|
||||||
* **Remediation:** Configure accounts to use stronger encryption types like AES in Group Policy.
|
* **Remediation:** Configure accounts to use stronger encryption types like AES in Group Policy.
|
||||||
|
|
||||||
11. Susceptible to Kerberoasting:
|
11. Susceptible to Kerberoasting:
|
||||||
* **Explanation:** Service accounts have SPNs and weak passwords, making them vulnerable.
|
* **Explanation:** Service accounts have SPNs and weak passwords, making them vulnerable.
|
||||||
* **Risk Assessment:** High. Enables offline password cracking.
|
* **Risk Assessment:** High. Enables offline password cracking.
|
||||||
* **Possible Cause:** Lack of awareness about service account security.
|
* **Possible Cause:** Lack of awareness about service account security.
|
||||||
* **Use:** Service accounts needing elevated privileges.
|
* **Use:** Service accounts needing elevated privileges.
|
||||||
* **Remediation:** Implement strong password policies for service accounts, rotate passwords regularly, use Managed Service Accounts (MSA).
|
* **Remediation:** Implement strong password policies for service accounts, rotate passwords regularly, use Managed Service Accounts (MSA).
|
||||||
|
|
||||||
12. Administrative Accounts Allowed for Delegation:
|
12. Administrative Accounts Allowed for Delegation:
|
||||||
* **Explanation:** Admin accounts configured to allow delegation.
|
* **Explanation:** Admin accounts configured to allow delegation.
|
||||||
* **Risk Assessment:** High. Can be misused to escalate privileges.
|
* **Risk Assessment:** High. Can be misused to escalate privileges.
|
||||||
* **Possible Cause:** Misunderstanding or overly permissive security culture.
|
* **Possible Cause:** Misunderstanding or overly permissive security culture.
|
||||||
* **Use:** Facilitating administrative processes.
|
* **Use:** Facilitating administrative processes.
|
||||||
* **Remediation:** Restrict delegation rights, use Constrained Delegation.
|
* **Remediation:** Restrict delegation rights, use Constrained Delegation.
|
||||||
|
|
||||||
13. Passwords Will Never Expire:
|
13. Passwords Will Never Expire:
|
||||||
* **Explanation:** Accounts are configured to never require password changes.
|
* **Explanation:** Accounts are configured to never require password changes.
|
||||||
* **Risk Assessment:** Moderate to High. Increases risk of undetected breaches.
|
* **Risk Assessment:** Moderate to High. Increases risk of undetected breaches.
|
||||||
* **Possible Cause:** Minimizing administrative burden.
|
* **Possible Cause:** Minimizing administrative burden.
|
||||||
* **Use:** Reducing disruption from frequent password updates.
|
* **Use:** Reducing disruption from frequent password updates.
|
||||||
* **Remediation:** Configure policies to require periodic password changes.
|
* **Remediation:** Configure policies to require periodic password changes.
|
||||||
|
|
||||||
14. Accounts Not Required to Have a Password:
|
14. Accounts Not Required to Have a Password:
|
||||||
* **Explanation:** Accounts do not require passwords for authentication.
|
* **Explanation:** Accounts do not require passwords for authentication.
|
||||||
* **Risk Assessment:** Extremely High. Allows unrestricted access.
|
* **Risk Assessment:** Extremely High. Allows unrestricted access.
|
||||||
* **Possible Cause:** Configuration error or setup for automated systems.
|
* **Possible Cause:** Configuration error or setup for automated systems.
|
||||||
* **Use:** Automating processes without manual authentication.
|
* **Use:** Automating processes without manual authentication.
|
||||||
* **Remediation:** Enforce password requirements for all accounts.
|
* **Remediation:** Enforce password requirements for all accounts.
|
||||||
|
|
||||||
15. Smart Card Accounts with a Password:
|
15. Smart Card Accounts with a Password:
|
||||||
* **Explanation:** Smart card-required accounts also have passwords set.
|
* **Explanation:** Smart card-required accounts also have passwords set.
|
||||||
* **Risk Assessment:** Moderate to High. Bypasses smart card security.
|
* **Risk Assessment:** Moderate to High. Bypasses smart card security.
|
||||||
|
|||||||
Reference in New Issue
Block a user