The following powershell cmdlets will help you identify user accounts in your Active Directory environment that have settings configured that are a joy for hackers.
My advise is to schedule the cmdlets or put them in a script to automate the process.
- Check for accounts that don’t have password expiry set
Get-ADUser -Filter ‘useraccountcontrol -band 65536’ -Properties useraccountcontrol
- Check for accounts that have no password requirement
Get-ADUser -Filter ‘useraccountcontrol -band 32’ -Properties useraccountcontrol
- Accounts that have the password stored in a reversibly encrypted format
Get-ADUser -Filter ‘useraccountcontrol -band 128’ -Properties useraccountcontrol
- List users that are trusted for Kerberos delegation
Get-ADUser -Filter ‘useraccountcontrol -band 524288’ -Properties useraccountcontrol
- List accounts that don’t require pre-authentication
Get-ADUser -Filter ‘useraccountcontrol -band 4194304’ -Properties useraccountcontrol
- List accounts that have credentials encrypted with DES
Get-ADUser -Filter ‘useraccountcontrol -band 2097152’ -Properties useraccountcontrol
Use the export-csv cmdlet piped to create a usable list. For example | export-csv your_list.csv
UserAccountControl flags are documented here!
