Ensure ‘Store passwords using reversible encryption’

Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

By John Gates

December 15th, 2021

Password storage and encryption are an essential part of your password policy. Reversible encryption is known for being vulnerable to attacks. Therefore, it is crucial to map its usage and try to avoid it as much as possible.

This blog post will cover the following issues:

What is reversible encryption?
Reversible encryption vulnerability
Do not store passwords using reversible encryption – policy
How to turn off reversible encryption?
The potential impact of disabling reversible encryption
How to safely disable reversible encryption?

What is reversible encryption?

We are using passwords for numerous network activities. The most basic example is when we log in. therefore, the authentication process must have automated access to the user's credentials at any given time. Obstructive controls might interfere with the system's function properly.

For this reason, the key for reversible encryption must be stored in the machine all the time. If the machine's disk or memory is compromised, then all the reversible encrypted passwords will be compromised as well.

Reversible encryption Vulnerability:

Reversible encryption security weakness is straightforward: if the key is compromised, all of your encrypted data is compromised.

A possible attack scenario is when an attacker maliciously creates a password policy that links to Domain Admins and enables their passwords to be stored with reversible encryption. As a result, the attacker will access their passwords in plain text.

Top 10 Windows Server Vulnerabilities for 2021

Do not store passwords using reversible encryption - policy:

The Center of Internet Security benchmarks recommendation:

Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled.’

This rule is relevant for Member Servers, Domain Controllers, and Windows 10 endpoints.

The default value of this setting is Disabled.

Windows Passwords Setting Guide

How to turn off reversible encryption?

To Disable reversible encryption, you can use GPOs and follow this UI path: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption

The potential impact of disabling reversible encryption

It is not uncommon to see reversible encryption used in disks, files, email attachments, etc.

There are a few authentication protocols that use reversible encryption and will stop working if this setting is Disabled:

Challenge Handshake Authentication Protocol (CHAP) used for remote access.
Internet Authentication Service (IAS) is used for a RADIUS server and proxy.
Digest Authentication that is used for verifying credentials in IIS servers.

How to safely enforce this policy?

You shouldn't enforce this policy without checking its potential impact, or you'll cause damage to your production.

In addition, applying this policy through GPO on a user-by-user method is dangerous due to the high privileges needed in Active Directory to apply the change.

We recommend using hardening automation tools to safely implement this policy without risking production downtime and allocating the minimal number of users high privileges.

A hardening automation tool will indicate the impact of this policy on production automatically and will let you know where this policy can or can't be enforced without causing downtime. Furthermore, the hardening automation tool will centralize your machines' configurations to a single point. This will reduce the number of authorized people to perform configuration changes to a minimum.

Deep Dive Into Hardening Automation

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.