Don’t store service account passwords in Active Directory attributes

A predecessor of mine decided to store service account passwords in the description attribute of the account. I’m somewhat grateful that he at least documented them, but further investigation showed just how negligent this is—especially given that many service accounts have escalated privileges.

I’m not super familiar with the gory details of how AD implements LDAP, but suffice it to say: it appears that any domain account may bind LDAP and query any other object’s properties—even totally unprivileged accounts within subdomains.

Continue reading Don’t store service account passwords in Active Directory attributes