H3-2023-0003¶

Pre-Windows 2000 Computer Set


Category	`SECURITY_MISCONFIGURATION`
Base Score	`9.8`

Description¶

Windows Active Directory supports pre-creating a machine to be joined to the domain by creating a computer account where the password is the same as the computer name. Additionally, if a machine account is reset and becomes out of sync with the domain, the domain controller will set the computer password to the computer name.

Impact¶

An attacker can discover Pre-2K computer accounts by spraying all the computer names as the password. Once the attacker is successful in identifying one, they can reset its password and gain control of the account.

References¶

Diving Into Pre-Created Computer Accounts