Prevent Storing Passwords in Group Policy Preferences
Ensure passwords are not saved in Group Policy to enhance security.
Plain language
This rule is about making sure that no one saves passwords inside the system settings of your organisation’s network. It's crucial because if someone malicious gains access, they could easily find these passwords and use them to break into your secure systems, putting sensitive information at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Passwords are prevented from being stored in Group Policy Preferences.
Why it matters
If passwords are stored in Group Policy Preferences, attackers can decrypt them from SYSVOL and rapidly escalate privileges across the domain.
Operational notes
Audit GPP for cpassword entries and remove/replace them; use LAPS/managed service accounts and restrict SYSVOL access and replication.
Implementation tips
- IT Team: Ensure that Group Policy Preferences within the network settings do not contain any saved passwords. This can be done by reviewing each Group Policy setting and making sure passwords are left blank.
- IT Team: Train staff on the importance of not storing passwords in Group Policy Preferences. Conduct a brief training session to explain why this practice is risky and how to manage passwords safely.
- System Administrator: Disable the ability to store passwords within Group Policy Preferences. This involves accessing the Group Policy Management Console and ensuring that password options are not being filled out or used.
- Cyber Security Lead: Set up a regular audit to check that no new Group Policies are created with passwords stored in them. Schedule these checks monthly to ensure compliance.
- IT Security Team: Implement an alternate secure method for managing passwords, such as using a dedicated password manager. Set up and instruct staff on how to use the password manager effectively.
Audit / evidence tips
-
Askthe current list of Group Policy settings: Request a document or report listing all active Group Policy Preferences
-
Gooda comprehensive list where no group policy contains any saved password
-
Askrecent training records: Request documentation or attendance lists for training sessions covering password management
-
Askto see documentation on password management policies: Specifically request policies related to Group Policy settings
-
Askrecords of the regular audits conducted on Group Policy Preferences
Cross-framework mappings
How ISM-1930 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1930 requires organisations to prevent passwords being stored in Group Policy Preferences (GPP), removing a known mechanism for expos... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.12 | ISM-1930 requires organisations to prevent passwords being stored in Group Policy Preferences, reducing the likelihood of credential disc... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.