SharePoint managed service accounts must be set to enable automatic password change.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-28138	SHPT-00-000600	SV-37784r1_rule	IAGA-1	Medium

Description
Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be compromised. One method of minimizing this risk is to use complex passwords and periodically change them. If the information system does not limit the lifetime of passwords and force password changes, there is the risk that system could be compromised. This setting only enables automatic password change for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts.

Description

Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be compromised. One method of minimizing this risk is to use complex passwords and periodically change them. If the information system does not limit the lifetime of passwords and force password changes, there is the risk that system could be compromised. This setting only enables automatic password change for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2011-12-20

Details

Check Text ( C-36986r1_chk )
1. Open the SharePoint Management Shell (Start > All Programs > Microsoft SharePoint Products > SharePoint Management Shell). 2. View list of Managed Service Accounts using the following Windows PowerShell cmdlet. Get-SPManagedAccount. 3. Verify automatic change is set to “True” for the entire list of managed passwords. 4. Mark as a finding if automatic change is set not to “True” for all managed passwords.

Check Text ( C-36986r1_chk )

1. Open the SharePoint Management Shell (Start > All Programs > Microsoft SharePoint Products > SharePoint Management Shell).
2. View list of Managed Service Accounts using the following Windows PowerShell cmdlet.
Get-SPManagedAccount.
3. Verify automatic change is set to “True” for the entire list of managed passwords.
4. Mark as a finding if automatic change is set not to “True” for all managed passwords.

Fix Text (F-32250r1_fix)
1. In Central Admin navigate to Security –> Configure managed accounts. 2. Edit setting for each managed account. 3. Select “Enable automatic password change”.