Password Quality Check in Active Directory

⚠️ Detection of misconfigurations in Active Directory

• Passwords stored in clear text (unicodePwd, clearTextPassword)

• Accounts with “Password never expires” setting

• Accounts where users are required to change password at next logon

🧾 Service account inspection

Service accounts often represent the highest risk within infrastructure. That’s why we:

• Identify accounts with ServicePrincipalName (SPN) and common naming patterns like svc_, app_, srv_

• Check if accounts:

  • have passwords older than 12 months,

  • have the “Password never expires” flag without compensating controls,

  • have excessive privileges (e.g., membership in administrative groups),

  • reuse passwords across multiple accounts,

  • are disabled but still retain access rights,

📆 Password age and policy compliance analysis

• We evaluate password age and check for compliance with internal rules or standards (e.g., max. 180 days)

• We verify whether password expiration policies are enforced

📈 Output and Recommendations

• Executive summary with clear conclusions

• Detailed report (Excel file) listing accounts with indicators like match with leaked passwords, PasswordNeverExpires, pwdLastSet, SPN, etc.

• Security recommendations for password policy and account management improvements

🔧 Technical Execution

• Analysis is performed with read-only access, no changes to AD required

• Tools used: PowerShell, custom hash-checkers, Threat Intelligence databases

• All data stays within your environment – sensitive information is not transferred externally

🧩 Service Extensions

• Quarterly repeat audits (audit-as-a-service)

• Integration with SIEM/SOAR platforms

• IT workshop: “How to securely manage service accounts and implement tiering”

• Can be delivered as part of a broader Active Directory Security Audit – AD Security Audit LightSpeed

💰 Pricing and Delivery

• • Price: 990 EUR (for the standalone version)

  • Delivery time: Results provided within 3 business days from kickoff