Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’

By Keren Pollack, on December 15th, 2021

Password storage and encryption are an essential part of your password policy. Reversible encryption is known for being vulnerable to attacks. Therefore, it is crucial to map its usage and try to avoid it as much as possible.

 

This blog post will cover the following issues:

  1. What is reversible encryption?
  2. Reversible encryption vulnerability
  3. Do not stor passwords using reversible encryption – policy
  4. How to turn off reversible encryption?
  5. The potential impact of disabling reversible encryption
  6. How to safely disable reversible encryption?

 

What is reversible encryption?

We are using passwords for numerous network activities. The most basic example is when we log in. therefore, the authentication process must have automated access to the user’s credentials at any given time. Obstructive controls might interfere with the system’s function properly.

 

For this reason, the key for reversible encryption must be stored in the machine all the time. If the machine’s disk or memory is compromised, then all the reversible encrypted passwords will be compromised as well.

 

Reversible encryption Vulnerability:

Reversible encryption security weakness is straightforward: if the key is compromised, all of your encrypted data is compromised.

 

A possible attack scenario is when an attacker maliciously creates a password policy that links to Domain Admins and enables their passwords to be stored with reversible encryption. As a result, the attacker will access their passwords in plain text.

Top 10 Windows Server Vulnerabilities for 2021

Do not store passwords using reversible encryption – policy:

The Center of Internet Security benchmarks recommendation:

Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled.’

This rule is relevant for Member Servers, Domain Controllers, and Windows 10 endpoints.

The default value of this setting is Disabled.

Windows Passwords Setting Guide

How to turn off reversible encryption?

To Disable reversible encryption, you can use GPOs and follow this UI path: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption

 

The potential impact of disabling reversible encryption

It is not uncommon to see reversible encryption used in disks, files, email attachments, etc.

 

There are a few authentication protocols that use reversible encryption and will stop working if this setting is Disabled:

  1. Challenge Handshake Authentication Protocol (CHAP) used for remote access.
  2. Internet Authentication Service (IAS) is used for a RADIUS server and proxy.
  3. Digest Authentication that is used for verifying credentials in IIS servers.

 

How to safely enforce this policy?

You shouldn’t enforce this policy without checking its potential impact, or you’ll cause damage to your production.

 

In addition, applying this policy through GPO on a user-by-user method is dangerous due to the high privileges needed in Active Directory to apply the change.

 

We recommend using hardening automation tools to safely implement this policy without risking production downtime and allocating the minimal number of users high privileges.

 

A hardening automation tool will indicate the impact of this policy on production automatically and will let you know where this policy can or can’t be enforced without causing downtime. Furthermore, the hardening automation tool will centralize your machines’ configurations to a single point. This will reduce the number of authorized people to perform configuration changes to a minimum.

Deep Dive Into Hardening Automation