Active Directory Best Practice Avoid Reversible Encryption

Just say no to Storing Passwords with Reversible Encryption

There are several dozen settings settings within Active Directory that if used can weaken security and open your environment to the threat of compromise. The Store password using reversible encryption option is one of those settings.

Notify if Reversible Encryption is set

Normally when a password is set on a user account in Active Directory the password is hashed using a one-way hash; an method that can not be decrypted. When Store password using reversible encryption is set the password is stored such that the password can be decrypted. Unfortunately, all it takes is a novice to accidentally set this option on the user property page or with a PowerShell script and the security of the account is essentially broken.

This doesn’t exactly mean that your AD security is compromised unless the account for which it is set is a privileged account that can be used to breach your security. To follow Best Practices your organization should adopt an IT Business Policy that excludes the use of this attribute.

Cayo Policy Manager 2.0 automates Administration and Enforces IT Business Policies. Policy Manager will monitor your directory and notify you of IT Business Policy violations and optionally correct them.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.