Risks of Misconfigured UserAccountControl (UAC) Values

In Active Directory, the UserAccountControl (UAC) attribute plays a critical role in defining account security. However, misconfigured UAC values can introduce significant security risks.

1. Disabled Accounts Left Active

If an account that should be disabled (e.g., a former employee’s account) remains active (value 512 instead of 514), it may be exploited by malicious insiders or external attackers.

2. Password Never Expires (8388608)

Allowing accounts to have non-expiring passwords weakens security. Over time, if a password is leaked or brute-forced, attackers may gain long-term access without detection.

3. No Pre-Authentication (65536)

Disabling Kerberos pre-authentication allows attackers to perform offline brute-force attacks on password hashes, which is a critical vulnerability.

4. Smartcard Not Enforced (4194304)

If smart card logon is required but not enforced, it increases the risk of weaker password-only authentication being compromised.

5. Service and Delegation Risks (262144 – Trusted for Delegation)

Accounts configured for delegation may be abused in Pass-the-Ticket or Kerberos delegation attacks, allowing attackers to impersonate services or escalate privileges.

6. Stale Accounts

Old accounts with valid credentials and misconfigured UAC values are often targeted, since they are less monitored but still have access.

In summary, UAC values must be carefully monitored. Incorrect configurations can create backdoors, weaken password policies, and expose sensitive systems to unauthorized access. Regular auditing of UAC attributes is essential for maintaining strong security in Active Directory.