In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect when the "Store password using reversible encryption" setting is enabled for a user account, understand the security risks and immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The necessary audit policy to generate Event ID 5136 (A directory service object was modified) must be enabled on all Domain Controllers. This requires enabling DS Access > Audit Directory Service Changes.

• Object-level auditing (SACL) must be configured on user objects to audit for writes to the userAccountControl attribute.

Steps to follow  

The process for handling a Reversible Password Encryption change involves detection, immediate remediation, and prevention.

Part 1: Detecting the event  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Reversible Password Encryption.

2. This report shows all user accounts that have had the insecure "Store password using reversible encryption" setting enabled.

Part 2: Understanding the detection criteria  

ADAudit Plus detects this insecure configuration change based on the following pattern:

• Description: The "Store password using reversible encryption" option is enabled on a user's account properties. This is a highly insecure practice as it allows the password to be retrieved in plaintext, bypassing standard hashing protections.

• Detection Logic:

• The following sequence of modifications to the userAccountControl attribute is detected within 60 seconds:

• An event showing the 128 bit being disabled (the "before" state of the change):

• Event Code equals 5136.

• Attribute LDAP Display Name equals userAccountControl.

• Operation Type equals Value Deleted.

• Attribute Value bitwise NOT AND (has bit disabled) 128.

• Followed by within 60 seconds an event showing the 128 bit being enabled (the "after" state):

• Event Code equals 5136.

• Attribute LDAP Display Name equals userAccountControl.

• Operation Type equals Value Added.

• Attribute Value bitwise AND (has bit enabled) 128.

Part 3: Immediate remediation  

Enabling this setting poses a severe security risk and must be addressed immediately.

1. Verify Legitimacy: Immediately confirm if enabling this setting was an authorized action. Legitimate use cases are extremely rare and are typically for compatibility with legacy applications. In most cases, this is a dangerous misconfiguration or malicious activity.

2. Disable the Setting:

• Open Active Directory Users and Computers (ADUC).

• Find the user account identified in the alert.

• Go to Properties > Account tab.

• Under Account options, uncheck the box for "Store password using reversible encryption".

3. Force Immediate Password Reset: Disabling the setting does not remove the reversibly encrypted password from the database. You must force the user to reset their password immediately. The new password will then be stored using standard, non-reversible hashing.

4. Investigate the Actor: The ADAudit Plus report will show the "Modified By" account. Investigate why this administrator made this change. If the action was unauthorized, the account that performed it should be considered compromised and investigated further.

Validation and confirmation  

• After remediation, the Reversible Password Encryption report in ADAudit Plus should no longer show the user account.

• Re-inspect the user's account properties in ADUC to confirm the "Store password using reversible encryption" box is unchecked.

• Confirm with the user that their password has been successfully reset.

Tips  

The following best practices can help prevent the use of this insecure setting.

Policy and Education  

• Establish a firm security policy that explicitly forbids the use of reversible password encryption. Educate all Active Directory administrators on the severe risks associated with this setting.

Principle of Least Privilege (PoLP)  

• Restrict permissions to modify user account properties to only a small number of trusted administrators. Standard help desk accounts should not have the ability to change security-sensitive account options.

Regular Auditing  

• Use the ADAManager Plus report as a regular, proactive audit tool to scan for any accounts that have this setting enabled, rather than only reacting to an alert.

Deprecate Legacy Applications  

• Identify and plan the migration or decommissioning of any legacy applications that require reversible password encryption (e.g., those using CHAP). This is the only way to eliminate the root cause for any legitimate use of this setting.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus