UCF STIG Viewer Logo

Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.


Overview

Finding ID Version Rule ID IA Controls Severity
V-44059 AD.0014 SV-56889r2_rule IAIA-1 Medium
Description
NT hashes of passwords for accounts that are not changed regularly are susceptible to reuse by attackers using Pass-the-Hash. Windows service \ application account passwords are not typically changed for longer periods of time to ensure availability of the applications. If a service \ application also has administrative privileges it will provide elevated access if compromised.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2018-09-13

Details

Check Text ( C-49474r3_chk )
If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA.

Verify Windows service \ application accounts with administrative privileges and manually managed passwords, have passwords changed at least every 60 days.
Fix Text (F-49679r4_fix)
If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA.

Change passwords for Windows service \ application accounts with administrative privileges and manually managed passwords, at least every 60 days.