Active Directory Password Analysis

Verify the actual security of your password policy in Active Directory.

Improsec performs an Active Directory Password Analysis to assess the password length, complexity, usage and strength for regular users, administrators and service accounts. This includes the use of “weak” but compliant passwords such as “Winter2018!” and “November2018”. You will furthermore gain insights into, if passwords used by administrators and for service accounts are sufficiently strong and how hard it would be to gain access to a regular, or an administrative, user account.

Value

  • Get an overview of the actual quality of passwords that are being used across the environment and across the different account types – regular users, administrators and service accounts

  • Get insights into password length, strength, complexity and the most common passwords used. This demonstrates the actual security level and may provide input for content of upcoming awareness campaigns and/or password policy changes

  • Concrete recommendations for enhancing the password quality in the environment

Product

The deliverable of the analysis is a written report containing the following:

  • A non-technical section with an Executive Summary for management and decision makers

  • A technical section including detailed observations, statistics and tangible recommendations

Findings listed in the report can be used and applied in user awareness campaigns - and with more analyses performed over time, trends can be followed

Method

The password analysis is performed on extracts of your Active Directory database. We will initially spend up to a week cracking the database using very high performing equipment. Afterwards we will analyse the output using various specialized tools. Data in transit will be encrypted using strong (currently AES 256-bit) encryption. Data will be kept in an isolated and dedicated environment at Improsec to ensure the confidentiality of data. Likewise, the report will also be encrypted using strong encryption. Data will be permanently destroyed after the final version of our report has been delivered

Involvement

The delivery requires minimal involvement of your technical staff. Primarily assistance is needed to extract encrypted passwords from the domain.