SharePoint managed service accounts must be set to enable automatic password change.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-28138	SHPT-00-000600	SV-37784r2_rule		Medium

Description
Passwords have a number of inherent risks. One method of minimizing this risk is to enforce the use of complex passwords. Another method is to enforce periodic password changes. If the information system does not limit the lifetime of passwords and force password changes, the system may be vulnerable to password attacks and may become compromised. This setting only enables automatic password changes for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts.

Description

Passwords have a number of inherent risks. One method of minimizing this risk is to enforce the use of complex passwords. Another method is to enforce periodic password changes. If the information system does not limit the lifetime of passwords and force password changes, the system may be vulnerable to password attacks and may become compromised. This setting only enables automatic password changes for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts.

STIG	Date
MS SharePoint 2010 Security Technical Implementation Guide	2019-01-02

Details

Check Text ( C-36986r4_chk )
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Go through each service account to see if “Enable automatic password change” is checked. 4. Mark as a finding if “Enable automatic password change” is not checked.

Fix Text (F-32250r3_fix)
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Edit setting for each managed account. 4. Select “Enable automatic password change”.