|
2 | 2 | title: 'Accounts security posture assessment' |
3 | 3 | ms.service: microsoft-defender-for-identity |
4 | 4 | ms.topic: article |
5 | | -ms.date: 09/15/2025 |
| 5 | +ms.date: 11/11/2025 |
6 | 6 | ms.reviewer: LiorShapiraa |
7 | 7 | description: Lists all Microsoft Defender for Identity security posture assessments for Active Directory accounts, with detailed impacts and remediation steps to help improve your Secure Score. |
8 | 8 | --- |
@@ -165,6 +165,26 @@ If the KRBTGT account's password is compromised, an attacker can use its hash to |
165 | 165 | > The krbtgt Kerberos account in all Active Directory domains supports key storage in all Kerberos Key Distribution Centers (KDC). To renew the Kerberos keys for TGT encryption, periodically change the krbtgt account password. It's recommended to use the [Microsoft-provided script.](https://github.com/microsoft/New-KrbtgtKeys.ps1) |
166 | 166 | > When resetting the password twice, wait at least 10 hours between resets to avoid Kerberos authentication issues. This wait time is enforced by the script and aligns with best practices. |
167 | 167 |
|
| 168 | +## Change password for on-prem account with potentially leaked credentials (Preview) |
| 169 | + |
| 170 | +**Description** |
| 171 | + |
| 172 | +This report lists users whose valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, the criminals often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market. The Microsoft leaked credentials service acquires username/password pairs by monitoring public and dark web sites and by working with Researchers Law enforcement Security teams at Microsoft Other trusted sources. |
| 173 | + |
| 174 | +**User impact** |
| 175 | + |
| 176 | +When the service acquires user credentials from the dark web, paste sites or the above sources,an account with compromised credentials can be exploited by malicious actors to gain unauthorized access. |
| 177 | + |
| 178 | +**Implementation** |
| 179 | + |
| 180 | +1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for **Change password for accounts with potentially leaked credentials**. |
| 181 | +1. Review the list of exposed entities to discover which of your account passwords were leaked. |
| 182 | +1. Take appropriate actions on those entities by removing the service account: |
| 183 | + 1. Open the Active Directory Users and Computers (ADUC) console and sign in with an administrator account. |
| 184 | + 2. Navigate to the organizational unit (OU) where the user account is located. |
| 185 | + 3. Find and select the user account that needs a password change. |
| 186 | + 4. Right-click on the user account, select **Reset Password**, enter the new password, and confirm it. |
| 187 | + |
168 | 188 |
|
169 | 189 | ## Change password of built-in domain Administrator account |
170 | 190 |
|
@@ -593,4 +613,4 @@ For example, if the **PasswordNotRequired** attribute is enabled, an attacker ca |
593 | 613 | ## Next steps |
594 | 614 |
|
595 | 615 | - [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score) |
596 | | -- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity) |
| 616 | +- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity) |
0 commit comments