How to Block Known Bad Active Directory Passwords

In this article, we will explore why and how to block the use of certain passwords for Active Directory user accounts. In an Active Directory environment, password security is a critical factor in protecting user accounts against cyberattacks. However, even with a strict password policy in place, some users or administrators may still choose weak passwords or ones that can be easily guessed. To strengthen the security of your domain, it is possible to prevent the use of specific passwords. If blocking bad Active Directory passwords is part of a larger identity-security learning plan, compare Udemy technical training courses for cloud, development, security, and business software skills before paying for another course library. Why block certain passwords? There are several scenarios in which it is advisable to prevent users or administrators from setting specific passwords. The larger and older an Active Directory environment becomes, the higher the likelihood of poor practices and notable weaknesses. Throughout my career as a pentester, I have conducted numerous internal penetration tests in companies of different sizes, levels of maturity, and industries. In many cases, password reuse across multiple user accounts allowed me to compromise several accounts, including privileged ones, which sometimes led to the complete compromise of the domain. To strengthen security and increase resilience against cyberattacks, it may be necessary to block specific passwords, especially when they arise from the following situations. Common initial password for all accounts A common practice within administration teams is to assign the same initial password (often referred to as a default password) to every new user, with the instruction to change it as soon as possible. A typical example of such a password could be “Welcome2024!”. However, this password change is not always enforced, especially when it is not technically required. In many cases, it is possible to find user accounts still configured with this password even years after their creation, either because they were never used, or because the password change requirement was not applied (e.g., technical accounts, test accounts, or so-called temporary accounts).

Adam Bertram Avatar
Adam Bertram 8 min. read

How to Use STIGviewer and Increase Security

Learn how to use the Stigviewer to discover technical standards to implement and enhance your security in this ATA Learning tutorial!
Edem Afenyo Avatar
Edem Afenyo 7 min. read

How to Test Your Defenses with Practical Brute Force Attacks

Learn a variety of techniques to test and defend against malicious brute force attacks in this ATA Learning tutorial!
Edem Afenyo Avatar
Edem Afenyo 8 min. read

Getting Started with Azure Bastion [With Step-by-Step Demo]

Learn how to secure Azure VM access using Azure Bastion in this informative getting started tutorial that will demonstrate how to get going.
Victor Silva Avatar
Victor Silva 5 min. read