UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

System mechanisms must be implemented to enforce automatic expiration of passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
WN12-GE-000016 WN12-GE-000016 WN12-GE-000016_rule Medium
Description
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.
STIG Date
Microsoft Windows Server 2012 Member Server Security Technical Implementation Guide 2013-07-25

Details

Check Text ( C-WN12-GE-000016_chk )
Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PswdExpires
AcctDisabled
Groups

If any accounts have "No" in the "PswdExpires" column, this is a finding.

The following are exempt from this requirement:
Application Accounts
Domain accounts requiring smart card (CAC/PIV)

The following PowerShell command may be used on domain controllers to list inactive accounts:
Search-ADAccount -PasswordNeverExpires -UsersOnly

Accounts that meet the requirements for allowable exceptions must be documented with the IAO.
Fix Text (F-WN12-GE-000016_fix)
Configure all passwords to expire. Ensure "Password never expires" is not checked on any accounts. Document any exceptions with the IAO.