User Accounts Not Requiring Passwords
There are certain aspects of Active Directory that still puzzle many, including me. Nearly every AD environment that I have seen has at least one user account that is configured to not require a password. The root cause is not always known. However, the fact that a user can exist in AD today and not require a password is baffling.
First, you might be thinking that a user account configured to not have a password must still comply with the domain password policy. Well, you would be incorrect! There are just some settings for user accounts that bypass the password policy.
Second, how do you configure a user account to not require a password? The simplest way is to use the net user command, as shown in Figure 1.
You can see in the userAccountControl attribute that a password is no longer required for this user, shown in Figure 2.
Next, you might think that this information is only available to administrators, and normal users would not be able to see this information. Well, again you would be incorrect! A simple query can expose the full list of user accounts, including this attribute, seen in Figure 3.
Third, please go clean up these accounts before the attacker takes advantage of the situation!
Fourth, since you did not know that this situation was in your production AD, how will you know when the next user is set to not have a required password? Alsid for AD can tell you in real time when any user account has this setting configured.