The Compliance Illusion
In the world of identity security, we have long been trained to worship at the altar of complexity. We enforce upper-case letters, numbers, special characters, and regular rotation intervals. We check the boxes, pass the compliance audits, and sleep soundly thinking our perimeter is secure.
But according to recent analysis by Specops Software, this approach is fundamentally flawed. It creates a "compliance illusion"—a false sense of security that leaves the most valuable targets wide open. While we are forcing users to memorize cryptic strings, attackers are simply walking through the front door using credentials we never bothered to check.
The reality is stark: attackers do not care if your password includes an exclamation point if that password has already been leaked on the dark web. They do not care about the complexity requirements of a service account that hasn't been changed in five years.
The Analysis: What Audits Miss
Traditional password audits rely on policy enforcement mechanisms within Active Directory or Identity Providers (IDPs). These tools verify that a user has met the character requirements upon creation or rotation. However, they fail to validate the security posture of the credential against external intelligence or internal lifecycle management.
1. The Breached Password Database
The most significant blind spot is the reliance on local logic versus global intelligence. Billions of credentials have been dumped in breaches like Collection #1 or LinkedIn. When an audit only checks for length and character type, it allows users to set passwords that are technically complex but already known to threat actors. Attackers use automated "credential stuffing" tools to replay these known passwords against VPN portals, OWA, and SSH endpoints.
2. Orphaned and Stale Accounts
Orphaned accounts—identities belonging to employees who have left the organization but whose accounts remain active—are a goldmine for lateral movement. In many organizations, the process of HR offboarding does not perfectly sync with Active Directory deprovisioning. An attacker who gains initial access via a phishing email on a low-privilege user account can hunt for these stale accounts. If an account hasn't logged in in 90 days but is still enabled, it is a prime candidate for hijacking, as the lack of activity means no one is monitoring its behavior.
3. The Service Account Paradox
Service accounts are the keys to the kingdom. They run background services, interact with databases, and often have privileges far exceeding those of standard users. Yet, they are notoriously poorly managed. Because they are automated, changing their password is risky—it breaks the application they service. Consequently, service accounts often have:
- PasswordNeverExpires: Set to
True. - Kerberos Pre-Authentication: Disabled.
- SPNs (Service Principal Names): Exposed, making them vulnerable to Kerberoasting attacks.
Audits often skip these accounts because they are "exceptions" to the standard user policy. However, these are the specific accounts attackers target for privilege escalation (T1068) and domain dominance (T1078).
Detection and Threat Hunting
To move beyond compliance and into actual security, we must hunt for the weaknesses traditional audits miss. We need to identify accounts that are technically compliant but practically dangerous.
Hunting with KQL (Microsoft Sentinel)
Use the following KQL query to hunt for enabled users who have not changed their password in an extended period (indicating potential stale or orphaned accounts) or have the "Password Never Expires" flag set.
IdentityInfo
| where Type == "User"
| where AccountEnabled == true
| extend DaysSincePwdChange = datetime_diff('day', now(), PasswordLastChanged)
| project AccountName, UserPrincipalName, DaysSincePwdChange, PasswordNeverExpires, OnPremisesSecurityIdentifier
| where DaysSincePwdChange > 180 or PasswordNeverExpires == true
| order by DaysSincePwdChange desc
This query helps surface accounts that have gone stale or are explicitly configured to never rotate—prime targets for an adversary looking for dormant credentials to abuse.
Auditing Service Accounts with PowerShell
Active Directory administrators can run the following PowerShell script to locate service accounts (identified by Service Principal Names) that have weak security configurations, such as passwords that never expire or reversible encryption enabled.
# Get-ADUser for Service Accounts with weak configuration
$ServiceAccounts = Get-ADUser -Filter {ServicePrincipalName -like "*" -and Enabled -eq $true} -Properties PasswordLastSet, PasswordNeverExpires, DoesNotRequirePreAuth, ServicePrincipalName
$WeakServiceAccounts = $ServiceAccounts | Where-Object {
$_.PasswordNeverExpires -eq $true -or
$_.DoesNotRequirePreAuth -eq $true
}
if ($WeakServiceAccounts) {
Write-Host "[ALERT] Found $($WeakServiceAccounts.Count) vulnerable service accounts:" -ForegroundColor Red
$WeakServiceAccounts | Select-Object Name, SamAccountName, PasswordNeverExpires, DoesNotRequirePreAuth, @{Name="SPNs";Expression={$_.ServicePrincipalName -join ','}} | Format-Table -AutoSize
} else {
Write-Host "No vulnerable service accounts found based on current criteria." -ForegroundColor Green
}
Mitigation Strategies
Closing these gaps requires a shift from "policy enforcement" to "identity hygiene."
-
Implement Breached Password Protection: Microsoft Entra ID Protection and third-party tools like Specops allow you to block passwords that appear in known leaked password lists, regardless of their complexity.
-
Enforce Lifecycle Governance: Automate the deprovisioning pipeline. Use tools like PowerShell or Identity Management (IDM) solutions to automatically disable accounts 30 minutes after an HR termination status is received.
-
Group Managed Service Accounts (gMSA): Where possible, migrate standard service accounts to gMSA. These allow the system to automatically manage the password lifecycle, eliminating the risk of static, never-expiring credentials.
-
Regular Stale Account Audits: Schedule quarterly reviews of accounts that have not logged in within 90 days. If the business owner cannot justify the need, disable the account.
-
Kerberoasting Mitigation: Ensure high-privilege service accounts are members of the "Protected Users" group, which prevents the use of weaker encryption protocols like RC4 often exploited in Kerberoasting attacks.
Security is not about checking boxes; it is about anticipating the attacker's next move. By focusing on the accounts attackers actually want—the breached, the orphaned, and the privileged—you transform your password policy from a nuisance into a formidable defense.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.