Status of reversible encryption password

Question

Is there an easy way to check Windows 2008R2 DC user accounts for a flag or keying material that shows that an account currently has a reversible password stored?

I'm aware of DSInternals but I'm not looking to decrypt the passwords. I've looked through AD attributes through AD Explorer but didn't see any obvious flags (even bitwise like ENCRYPTED_TEXT_PWD_ALLOWED in UserAccountControl doesn't change when the right is set at the group or domain level).

This could be useful to verify this data is deleted or to verify users that still have to use encryption methods like Digest or CHAP that require access to the password.

Thanks.

Answer 1

First off, digest authentication and reversible encryption should never ever be used. There are tools available to easily extract plain text passwords for accounts using these. Attackers commonly use this method to extract plain text passwords of your accounts so they can learn how passwords are generated and easily guess the next one if they ever lose persistence.

The best way to determine if this is being used is by checking if it is enabled in Group Policy, Fine-Grained Password Policies, or on the Active Directory user account. Once the setting is enabled, the users plain text password will be available after the next password reset.

1) Group Policy (Default Domain Policy):

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -> "Store password using reversible encryption"

From TechNet: "The intent of this policy is to provide support for applications which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information."

2) Fine-Grained Password Policies:

Check here for how to view a Resultant PSO for a User or a Global Security Group.

From TechNet: "You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain."

3) On the domain user object account options:

"Store password using reversible encryption"

Use this PowerShell query to find users in your domain that are configured with the "Store password using reversible encryption" check box checked: Get-ADObject -LDAPFilter '(&(objectClass=user)(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=128))'

Here is another PowerShell method to identify domain accounts with reversible encryption enabled:

Get-ADUser -Filter 'AllowReversiblePasswordEncryption -eq "True"'

Answer 2

2008R2 stores the password in a hidden supplementalCredentials attribute. This attribute is generally not readable or writable. There are methods of reading it, such as setting up a bogus replication peer by using Get-ADReplAccount in the DSInternals module or parsing the ntds.dit database file offline (e.g., with Get-ADDBAccount). LDAP-based tools, such as Revdump no longer work.