Enumerating Domain Password Policy Brief

A concrete discovery technique that retrieves the domain password policy to determine what credential attacks are safe and viable. The policy settings — lockout threshold, minimum length, complexity, fine-grained overrides — directly inform spray rates, cracking feasibility, and target prioritization.

Any authenticated domain user via LDAP or RPC. In misconfigured environments, the policy may be accessible without credentials through SMB NULL sessions or LDAP anonymous binds.

Lockout threshold + reset counter → safe spray rate. Minimum length + complexity → offline cracking viability. Password age → likelihood of weak passwords. Fine-grained policies → whether privileged accounts have weaker requirements. This transforms credential attacks from guesswork into calculated decisions.

With any employee-level account, an attacker can read your password rules — how long passwords must be, how many failed attempts trigger a lockout, and how long the lockout lasts. Weak settings directly enable the credential attacks that follow. The risk is not that the policy is secret; it is that weak settings make attacks viable.

Finding: Weak Domain Password Policy Enables Credential Attacks. The assessor enumerated the default domain password policy: minimum length [N] characters, complexity [enabled/disabled], lockout threshold [N] with [N]-minute reset. [Impact on spray/cracking feasibility]. Severity: Medium. Recommendation: Increase minimum length to 14+. Implement fine-grained policies for service accounts (25+ characters).