Prevent Storing Passwords in Group Policy Preferences
Ensure passwords are not saved in Group Policy to enhance security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Passwords are prevented from being stored in Group Policy Preferences.
Source: ASD Information Security Manual (ISM)
Plain language
This rule is about making sure that no one saves passwords inside the system settings of your organisation’s network. It's crucial because if someone malicious gains access, they could easily find these passwords and use them to break into your secure systems, putting sensitive information at risk.
Why it matters
If passwords are stored in Group Policy Preferences, attackers can decrypt them from SYSVOL and rapidly escalate privileges across the domain.
Operational notes
Audit GPP for cpassword entries and remove/replace them; use LAPS/managed service accounts and restrict SYSVOL access and replication.
Implementation tips
- IT Team: Ensure that Group Policy Preferences within the network settings do not contain any saved passwords. This can be done by reviewing each Group Policy setting and making sure passwords are left blank.
- IT Team: Train staff on the importance of not storing passwords in Group Policy Preferences. Conduct a brief training session to explain why this practice is risky and how to manage passwords safely.
- System Administrator: Disable the ability to store passwords within Group Policy Preferences. This involves accessing the Group Policy Management Console and ensuring that password options are not being filled out or used.
- Cyber Security Lead: Set up a regular audit to check that no new Group Policies are created with passwords stored in them. Schedule these checks monthly to ensure compliance.
- IT Security Team: Implement an alternate secure method for managing passwords, such as using a dedicated password manager. Set up and instruct staff on how to use the password manager effectively.
Audit / evidence tips
-
Ask: the current list of Group Policy settings: Request a document or report listing all active Group Policy Preferences
-
Good: a comprehensive list where no group policy contains any saved password
-
Ask: recent training records: Request documentation or attendance lists for training sessions covering password management
-
Ask: to see documentation on password management policies: Specifically request policies related to Group Policy settings
-
Ask: records of the regular audits conducted on Group Policy Preferences
Cross-framework mappings
How ISM-1930 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.17 | ISM-1930 requires organisations to prevent passwords being stored in Group Policy Preferences (GPP), removing a known mechanism for expos... | |
| Supports (1) | ||
| Annex A 8.12 | ISM-1930 requires organisations to prevent passwords being stored in Group Policy Preferences, reducing the likelihood of credential disc... | |