Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| WN12-00-000011 | WN12-00-000011 | WN12-00-000011_rule | Medium |
| Description |
|---|
| Setting application accounts to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. The site will have a policy that application account passwords are changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
| STIG | Date |
|---|---|
| Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide | 2013-07-25 |
Details
| Check Text ( C-WN12-00-000011_chk ) |
|---|
| The site must have a policy to ensure passwords for manually managed application/service accounts are changed at least annually or whenever a system administrator that has knowledge of the password leaves the organization. If such a policy does not exist or has not been implemented, this is a finding. Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PwsdLastSetTime AcctDisabled If any application accounts listed have a date older than one year in the "PwsdLastSetTime" column, this is a finding. |
| Fix Text (F-WN12-00-000011_fix) |
|---|
| Establish a site policy that defines the requirements for application/service account password changes. Change application/service account passwords that are manually managed and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization. |