Prevent Password Storage in Group Policy Preferences
Make sure passwords aren't saved in Group Policy Preferences for added security.
Plain language
This control is about making sure that passwords aren't stored in what's called Group Policy Preferences, which is a Microsoft way to manage settings on lots of computers at once. Storing passwords here is risky because if someone gets hold of these settings, they could easily find and misuse these passwords, putting your entire network in danger.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Passwords are not stored in Group Policy Preferences.
Why it matters
If passwords are stored in Group Policy Preferences, attackers can recover them and use them for lateral movement and domain compromise.
Operational notes
Audit GPOs for Group Policy Preferences password fields (e.g., cpassword) and remove any found; use LAPS or a secrets vault instead.
Implementation tips
- IT team should review current Group Policy Preferences: Go through all the existing preferences and ensure no passwords are stored in them. Use Microsoft's recommendations to identify and remove any passwords if found.
- System administrators should educate staff: Inform anyone who manages Group Policy about the risks of storing passwords in preferences. Hold a brief training session to demonstrate proper configuration techniques.
- IT team should set up alert systems: Configure alerts to notify administrators if any new policies attempt to store passwords. Use existing management tools to create these notifications.
- Management should update policy guidelines: Include a section in the IT policy that forbids the storage of passwords within Group Policy Preferences. Communicate this update to all relevant stakeholders.
- Create a regular audit schedule: Assign IT staff to perform routine checks on Group Policy settings every quarter. Document findings and follow up to fix any identified issues immediately.
Audit / evidence tips
-
Askthe Group Policy audit logs: Request the logs that show recent changes to Group Policy Preferences
Goodis logs that show no passwords were stored or removed from preferences
-
AskIT policy documentation: Request the organisation's IT policy document that mentions Group Policy Preferences
Goodis a dated policy document with specific instructions not to store passwords
-
Askrecords of staff training: Request records or a schedule of any training sessions for IT staff about Group Policy management
Goodis a dated training log with signatures from participants
-
Askautomation configuration: Request documentation or screenshots showing alerts set for Group Policy changes
Goodis an active alert system that detects any password storage attempts
-
Askthe regular audit reports: Request the most recent audit reports on Group Policy Preferences
Goodis a report that consistently finds no passwords stored in preferences
Cross-framework mappings
How ISM-1829 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.1 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), representing a specific mandatory security configurati... | |
| Annex A 8.8 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), removing a known weak credential storage mechanism in ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML3.5 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), reducing exposure of reusable credentials that attacke... | |
| E8-RA-ML3.6 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), preventing easy retrieval of privileged credentials fr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.