Secure Account Properties in Active Directory
Do not use account fields that everyone can see to store passwords.
Plain language
This control is about making sure people don't store passwords in places where they can be easily accessed by anyone who shouldn't have them, like general account information in Active Directory. The risk here is that if sensitive data like passwords are stored where just anyone can see them, it becomes much easier for them to be misused, leading to security breaches and potentially serious consequences for the organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Account properties accessible by unprivileged users are not used to store passwords.
Why it matters
If passwords are stored in AD account attributes readable by unprivileged users, attackers can harvest credentials and escalate access, leading to broader compromise.
Operational notes
Audit AD user attributes (e.g., description, comment, notes) and remove any stored passwords or secrets from fields readable by unprivileged users.
Implementation tips
- IT team should identify which fields in Active Directory are visible to all users. This can be done by reviewing the permissions of account attributes and understanding the default settings to know what information is publicly accessible.
- System administrators should update documentation to clearly state which fields should never contain passwords or sensitive data. They can achieve this by adding notes to existing user management guides and ensuring they are distributed to all relevant staff.
- Managers should provide training to all employees involved in managing user accounts to reinforce the importance of not storing passwords in common fields. Organise a workshop or a short training session where this policy is thoroughly explained.
- IT support staff should audit existing accounts to ensure passwords are not stored in easily accessible fields. They can do this by sampling a portion of accounts and checking the common fields for the presence of password-like data.
- The organisation's security officer should enforce regular reviews of account properties. Establish a quarterly review process where account configurations are checked for compliance with this control.
Audit / evidence tips
-
Aska list of all Active Directory attributes and who can view them
Goodis a clear list showing restricted access to fields not meant for general viewing
-
Goodincludes a well-maintained document with clear prohibitions on storing passwords in visible fields
-
Askrecords of training sessions or workshops provided to employees
Goodis a document showing regular training with topics covering account property security
-
Gooddetails audits with recommendations and follow-up actions completed
-
Askthe schedule of regular reviews of account fields
Goodis a recurring entry in the organisational calendar with an assigned responsible person
Cross-framework mappings
How ISM-1839 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1839 requires that Active Directory account properties visible to unprivileged users are not used to store passwords | |
| Annex A 8.3 | ISM-1839 requires organisations to prevent passwords being stored in Active Directory account properties accessible by unprivileged users | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.