Application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| WN12-00-000011 | WN12-00-000011 | WN12-00-000011_rule | Medium |
| Description |
|---|
| Setting application accounts to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. The site will have a policy that application account passwords are changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
| STIG | Date |
|---|---|
| Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide | 2013-07-25 |
Details
| Check Text ( C-WN12-00-000011_chk ) |
|---|
| The site must have a policy to ensure passwords for manually managed application/service accounts are changed at least annually or whenever a system administrator that has knowledge of the password leaves the organization. If such a policy does not exist or has not been implemented, this is a finding. Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PwsdLastSetTime AcctDisabled If any application accounts listed have a date older than one year in the "PwsdLastSetTime" column, this is a finding. |
| Fix Text (F-WN12-00-000011_fix) |
|---|
| Establish a site policy that defines the requirements for application/service account password changes. Change application/service account passwords that are manually managed and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization. |