Don’t store service account passwords in Active Directory attributes

A predecessor of mine decided to store service account passwords in the description attribute of the account. I’m somewhat grateful that he at least documented them, but further investigation showed just how negligent this is—especially given that many service accounts have escalated privileges.

I’m not super familiar with the gory details of how AD implements LDAP, but suffice it to say: it appears that any domain account may bind LDAP and query any other object’s properties—even totally unprivileged accounts within subdomains.

What this meant, in my case, was that a student account from within the student subdomain could retrieve privileged service account passwords from any computer within the firewall. If you haven’t played around with LDP.exe or similar, I suggest you give it a try.

Here’s a quick PowerShell one-liner that helped me quickly isolate vulnerable accounts. Take care that you may need to adjust this, e.g. if passwords are stored in a different attribute, or are not prefixed.

Import-Module ActiveDirectory; Get-ADUser -Filter {Description -like "*pw*" -or Description -like "*pass*"} -ResultSetSize $null -Properties Description | ft name,description

Moving forward, I’m going to pursue a password policy using KeePassX, an open-source password manager that has served me well for many years.

Leave a Reply

Your email address will not be published. Required fields are marked *