Contact Sales
+1 (614) 423-6718
Support
Blog
Partners
Downloads
Login

Active Directory Best Practice Avoid Reversible Encryption

Just say no to Storing Passwords with Reversible Encryption

There are several dozen settings settings within Active Directory that if used can weaken security and open your environment to the threat of compromise. The Store password using reversible encryption option is one of those settings.

Notify if Reversible Encryption is set

Normally when a password is set on a user account in Active Directory the password is hashed using a one-way hash; an method that can not be decrypted. When Store password using reversible encryption is set the password is stored such that the password can be decrypted. Unfortunately, all it takes is a novice to accidentally set this option on the user property page or with a PowerShell script and the security of the account is essentially broken.

This doesn’t exactly mean that your AD security is compromised unless the account for which it is set is a privileged account that can be used to breach your security. To follow Best Practices your organization should adopt an IT Business Policy that excludes the use of this attribute.

Cayo Policy Manager 2.0 automates Administration and Enforces IT Business Policies. Policy Manager will monitor your directory and notify you of IT Business Policy violations and optionally correct them.

Check out these relevant resources.

Beyond Access: How Healthcare IT Can Cut Costs, Shrink Attack Surfaces, and Protect Patient Data with Smart Automation

In healthcare, behind every login is a nurse, a physician, and—most importantly—a patient in need. When identity systems fail, care delivery comes to a halt. That reality has been underscored by recent breaches, where stolen credentials, dormant admin accounts, and lateral movement across hybrid systems have caused not just IT outages, but also treatment delays, patient diversions, and canceled surgeries.

Read More »