Passwordreq No - A hacker prospective
Ever have one of those topics that you know you’ve looked up 100 times but never can remember the answer?
The question came up as to what effect “Password Required: No” means in a
net user UserName is.
As usual, MSDN isn’t very helpful:
An old ISS finding wasn’t any more helpful:
But they did at least provide mitigations and remediation steps.
Finally doing tests on a number of different scenarios I finally figured out what it meant in more concret terms:
passwordreq field is set on an account, the password CAN be blank which essentially bypasses any password complexity requirements:
In one specific case this actually makes things more secure:
CIFS/SMB does not allow access to shares or IFS actions by default as per default computer/group policy. However, RDP, WinRM, and WMI work just fine.