Passwordreq No - A hacker prospective

Ever have one of those topics that you know you’ve looked up 100 times but never can remember the answer?

I was having one of those moments in a recent conversation on the NoVA Hackers mailing list (If you want to join please read the instructions before requesting to join)

The question came up as to what effect “Password Required: No” means in a net user UserName is.

As usual, MSDN isn’t very helpful:

1

/passwordreq:{yes | no} - Specifies whether a user account must have a password. The default is yes.

from: https://technet.microsoft.com/en-us/library/cc771865%28v=ws.11%29.aspx

An old ISS finding wasn’t any more helpful:

1

A User account has been detected with no password required. No password requirement allows attackers unauthorized access, including the ability to take over and replace processes, and access other computers on the network.

from: http://www.iss.net/security_center/reference/vulntemp/nt-usernopw.htm

But they did at least provide mitigations and remediation steps.

Finally doing tests on a number of different scenarios I finally figured out what it meant in more concret terms:

If the passwordreq field is set on an account, the password CAN be blank which essentially bypasses any password complexity requirements:

In one specific case this actually makes things more secure:

CIFS/SMB does not allow access to shares or IFS actions by default as per default computer/group policy. However, RDP, WinRM, and WMI work just fine.