Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
WN12-GE-000016 | WN12-GE-000016 | WN12-GE-000016_rule | Medium |
Description |
---|
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked. |
STIG | Date |
---|---|
Microsoft Windows Server 2012 Member Server Security Technical Implementation Guide | 2013-07-25 |
Check Text ( C-WN12-GE-000016_chk ) |
---|
Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Application Accounts Domain accounts requiring smart card (CAC/PIV) The following PowerShell command may be used on domain controllers to list inactive accounts: Search-ADAccount -PasswordNeverExpires -UsersOnly Accounts that meet the requirements for allowable exceptions must be documented with the IAO. |
Fix Text (F-WN12-GE-000016_fix) |
---|
Configure all passwords to expire. Ensure "Password never expires" is not checked on any accounts. Document any exceptions with the IAO. |