|
| 1 | +--- |
| 2 | +title: 'Security Assessment: Remove Discoverable Passwords in Active Directory Account Attributes (Preview)' |
| 3 | +description: Learn how to identify and address discoverable passwords in Active Directory account attributes to mitigate security risks and improve your organization's security posture. |
| 4 | +ms.date: 08/12/2025 |
| 5 | +ms.topic: how-to |
| 6 | +--- |
| 7 | + |
| 8 | +# Security Assessment: Remove discoverable passwords in Active Directory account attributes (Preview) |
| 9 | + |
| 10 | + |
| 11 | +## Why do discoverable passwords in Active Directory account attributes pose a risk? |
| 12 | + |
| 13 | +Certain free-text attributes are often overlooked during hardening but are readable by any authenticated user in the domain. When credentials or clues are mistakenly stored in these attributes, attackers can abuse them to move laterally across the environment or escalate privileges. |
| 14 | + |
| 15 | +Attackers seek low-friction paths to expand access. Exposed passwords in these attributes represent an easy win because: |
| 16 | + |
| 17 | +- The attributes aren't access-restricted. |
| 18 | + |
| 19 | +- They aren't monitored by default. |
| 20 | + |
| 21 | +- They provide context attackers can exploit for lateral movement and privilege escalation. |
| 22 | + |
| 23 | +Removing exposed credentials from these attributes reduces the risk of identity compromise and strengthens your organization’s security posture. |
| 24 | + |
| 25 | + |
| 26 | +## How does Microsoft Defender for Identity detect discoverable passwords? |
| 27 | + |
| 28 | +> [!NOTE] |
| 29 | +> Findings can include false positives. Always validate the results before taking action. |
| 30 | +
|
| 31 | +Microsoft Defender for Identity detects potential credential exposure in Active Directory by analyzing commonly used free-text attributes. This includes looking for common password formats, hints, `'description'`, `'info'`, and `'adminComment'` fields, and other contextual clues that might suggest the presence of credential misuse. |
| 32 | +This recommendation uses GenAI-powered analysis of Active directory attributes to detect: |
| 33 | + |
| 34 | +- Plaintext passwords or variations. For example, '`Password=Summer2025!'` |
| 35 | + |
| 36 | +- Credential patterns, reset hints, or sensitive account information. |
| 37 | + |
| 38 | +- Other indicators suggesting operational misuse of directory fields. |
| 39 | + |
| 40 | +Detected matches are surfaced in **Secure Score** and the **Security Assessment report** for review and remediation. |
| 41 | + |
| 42 | + |
| 43 | +## Remediation steps |
| 44 | + |
| 45 | +To address this security assessment, follow these steps: |
| 46 | + |
| 47 | +1. Review the recommended action at [https://security.microsoft.com/securescore?viewid=actions](https://security.microsoft.com/securescore?viewid=actions) for Remove discoverable passwords in Active Directory account attributes. |
| 48 | +1. Review the exposed entries in the security report. Identify any field content that includes: |
| 49 | + |
| 50 | + - Cleartext passwords |
| 51 | + |
| 52 | + - Reset instructions or credential clues |
| 53 | + |
| 54 | + - Sensitive business or system information |
| 55 | + |
| 56 | +1. Remove sensitive information from the listed attribute fields using standard directory management tools (for example, PowerShell or ADSI Edit). |
| 57 | +1. Fully remove the sensitive information. Don’t just mask the value. Partial obfuscation (for example, P@ssw***) can still offer useful clues to attackers. |
| 58 | + |
| 59 | +> [!NOTE] |
| 60 | +> Assessments are updated in near real time. Scores and statuses are updated every 24 hours. The list of impacted entities is updated within a few minutes of you implementing the recommendations. The status might take time until it's marked as **Completed**. |
| 61 | +
|
| 62 | +## Related articles |
| 63 | + |
| 64 | +- [Learn more about Microsoft Secure Score](/defender-xdr/microsoft-secure-score) |
0 commit comments