Over 65% of host vulnerabilities stem from misconfigurations

Password policy violations account for the largest share of misconfigurations. Unsafe password policies are behind 35% of this year’s most severe cybersecurity incidents

December 27, 2024

The BI.ZONE EDR team has analyzed more than 150 Russian companies from a range of industries. The data has been sourced from almost 300,000 hosts (servers and workstations). The findings reveal that 66% of the hosts have at least one dangerous misconfiguration—an error in application or access settings—that can be successfully exploited by adversaries.

1. Password policy violations are the most common type of misconfigurations

Our research shows that 65% of macOS hosts do not have properly configured password policies. Instead, the users opt for the default policy, which allows for 4‑character (very weak) passwords. To ensure better security, the password should have at least 8, and preferably 10–12 characters.

Among the examined Linux hosts, 61% do not have a password for the GRUB loader. This misconfiguration enables adversaries to run the single‑user mode and reset passwords for system accounts to ultimately gain control over the attacked system.

Nearly a third of Windows hosts (29%) have the local administrator password solution (LAPS) disabled. This tool generates a unique secure admin password for each computer in the domain. The password changes automatically after a set period while the password value is stored in a secure environment. With a disabled LAPS, adversaries are more likely to compromise the local admin’s account and abuse its static password to hijack other devices in the network.

Contrary to the stereotype, having a weak password is not the most common problem. It accounts for just 1% of local users for Windows, and 5% for Linux environments. However, this misconfiguration is one of the most dangerous. A single host compromised through brute force can make it easier for adversaries to distribute malware or to advance in the target infrastructure and establish full control over it.

Our research shows that 35% of this year’s most severe cybersecurity incidents in Russian organizations stem from unsafe password policies for administrative accounts.

Demyan Sokolin

R&D Team Lead, BI.ZONE EDR

2. Up to a third of system administrators sacrifice security for temporary convenience

System administrators tend to disable security features on devices as they believe that this helps to improve system performance and avoid unnecessary hassle.

According to our findings, the Local Security Authority (LSA) protection is disabled on 37% of the Windows hosts. This misconfiguration allows adversaries to access credentials stored in the process memory.

In another 36% of cases, Windows hosts are not configured to sign SMB packets responsible for remote access to files, devices, and other network resources. Cybercriminals may intercept and modify unsigned SMB packets to send commands to the target server and take over the system. Besides, 4% of Windows hosts use the outdated and vulnerable SMBv1 protocol that can be exploited to access the systems.

In addition, 13% of Windows hosts have OS component updates disabled. This also poses a threat as outdated software versions often contain vulnerabilities that can only be fixed with updates.

3. In a quarter of cases, authorization on a remote server violates security rules

The SSH protocol is used for secure remote login in macOS and Linux systems. Authentication with a specially generated key is considered the most secure for this protocol. However, on every fourth device, key authentication is disabled whereas the SSH login with password authentication is used instead.

Such hosts are often accessible via the Internet, which adds to their vulnerability. Combined with password policy violations, this increases the likelihood of successful brute‑force attacks. To minimize this risk, it is recommended to use the SSH login with key authentication.