UCF STIG Viewer Logo

The maximum age for machine account passwords must be set to requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-226283 WN12-SO-000016 SV-226283r794585_rule Low
Description
Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This setting must be set to no more than 30 days, ensuring the machine changes its password monthly.
STIG Date
Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide 2022-03-01

Details

Check Text ( C-27985r476693_chk )
If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\

Value Name: MaximumPasswordAge

Value Type: REG_DWORD
Value: 30 (or less, but not 0)
Fix Text (F-27973r476694_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Maximum machine account password age" to "30" or less (excluding "0" which is unacceptable).