System mechanisms must be implemented to enforce automatic expiration of passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
WN12-GE-000016	WN12-GE-000016	WN12-GE-000016_rule		Medium

Description
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.

STIG	Date
Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide	2013-07-25

Details

Check Text ( C-WN12-GE-000016_chk )
Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Application Accounts Domain accounts requiring smart card (CAC/PIV) The following PowerShell command may be used on domain controllers to list inactive accounts: Search-ADAccount -PasswordNeverExpires -UsersOnly Accounts that meet the requirements for allowable exceptions must be documented with the IAO.

Check Text ( C-WN12-GE-000016_chk )

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PswdExpires
AcctDisabled
Groups

If any accounts have "No" in the "PswdExpires" column, this is a finding.

The following are exempt from this requirement:
Application Accounts
Domain accounts requiring smart card (CAC/PIV)

The following PowerShell command may be used on domain controllers to list inactive accounts:
Search-ADAccount -PasswordNeverExpires -UsersOnly

Accounts that meet the requirements for allowable exceptions must be documented with the IAO.

Fix Text (F-WN12-GE-000016_fix)
Configure all passwords to expire. Ensure "Password never expires" is not checked on any accounts. Document any exceptions with the IAO.