Configuration Management / Active Directory - Blank passwords
Infrastructure
Description
A blank password can be specified for an account with the PASSWD_NOTREQD option. This option is set through the account's UserAccountControl attribute. This is possible during account creation or when the password is reset by an administrator.
The 'User must change password at next logon' option is not affected by this issue, as it validates that when the user connects and changes his password, the password cannot be empty.
Risk
An account without a password is a highly vulnerable one. This allows an attacker to get full access to the resources of the account.
Solution
Ensure that all Active Directory accounts are configured correctly regarding the use of blank passwords. In particular, no empty password should be allowed for privileged accounts.