🟠 High | Source: The Register — Security
A UK school’s network was left critically exposed after a student discovered that an administrator password had been stored in plain text within an Active Directory account description field. This elementary misconfiguration granted broad network access to anyone who found it. The incident highlights how basic security hygiene failures in on-premises and hybrid environments can undermine an entire organisation’s defences.
Security Architect’s Take: Audit all Active Directory and directory service accounts immediately to ensure no credentials, hints, or sensitive data are stored in description, comment, or notes fields — this is trivially discoverable by any authenticated user. Enforce least-privilege access and implement a secrets management solution to eliminate any manual, ad-hoc credential handling.
Original advisory: UK school’s network left wide open for invasion, student found