jspωiki
PASSWD_NOTREQD

Overview #

If PASSWD_NOTREQD user-Account-Control Attribute Value bit is set, the user is not subject to a possibly existing policy regarding the length of password.

This implies the user could have shorter password than it is required or it may even have no password at all, even if empty passwords are not allowed. This property is not visible in the normal GUI tools (Active Directory Users and Computers)!

user-Account-Control Attribute Value attribute for an account Gill Bates is set to a decimal value of 544 (hex 220). The value is the sum of the individual property flags for the user-Account-Control Attribute Value of the User account.

A value of 544 (x220) indicates that the account has the following property flags set / enabled:

  • NORMAL_ACCOUNT: decimal 512 (x200)
  • PASSWD_NOTREQD: decimal 32 (x20)
Note that the PASSWD_NOTREQD property is represented by hex value x20, so any user-Account-Control Attribute Value of x20 has the PASSWD_NOTREQD flag set. Some examples of user-Account-Control Attribute Value, where the PASSWD_NOTREQD flag is set are:
  • x020 - 032 - PASSWD_NOTREQD
  • x220 - 514 - Enabled, PASSWD_NOTREQD
  • x222 - 546 - Enabled, PASSWD_NOTREQD
  • x40222 - 262690 - Disabled, Smartcard Required, PASSWD_NOTREQD

Interestingly, PASSWD_NOTREQD does NOT imply there is no password, only that one is not required. If there is a password then the account cannot be used for an Anonymous bind.

I have seen where IDM Vendor Products or other creation programs set PASSWD_NOTREQD to create the user then have failed to remove the flag.

Since Windows Server 2003, by default, anonymous LDAP Messages other than Bind Request are disabled. (Note the distinction LDAP Messages other than Anonymous bind).

Anonymous binds are permitted but, by default, the only Access is to the rootDSE. This allows anonymous access to the rootDSE as a Discovery Mechanism to then allow Authenticated binds.

Ldapwiki were able to perform a Anonymous bind as one of the users listed. (one with a pwdLastSet=0). So as Ldapwiki see it, there is no Vulnerability to Microsoft Active Directory, but could a user perform an bind with and empty password but using a DN of one of these users to access an application?

More Information #

There might be more information for this subject on one of the following: