To the extent system capabilities permit, system mechanisms will be implemented to enforce automatic expiration of passwords and to prevent reuse.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6840	4.026	SV-29396r1_rule	IAIA-1 IAIA-2	Medium

Description
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.

STIG	Date
Windows 2008 Domain Controller Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-38498r1_chk )
Verify all account passwords expire. The following are exempt from this requirement: Built-in Administrator account Application accounts Domain accounts requiring smart card (CAC) Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires PswdLastSetTime LastLogonTime AcctDisabled Groups If any accounts, other than the exceptions noted, have a “No” in the “PswdExpires” column, then this is a finding. Note: The following command can be used on Windows Active Directory if DumpSec cannot be run: Open a Command Prompt. Enter “Dsquery user -limit 0 \| Dsget user -dn -pwdneverexpires”. This will return a list of User Accounts with Yes/No for Pwdneverexpires. If any accounts, other than the exceptions noted, have "Yes", then this is a finding. The results can be directed to a text file by adding “> filename.txt” at the end of the command. Documentable Explanation: Accounts meeting the requirements for allowable exceptions should be documented with the IAO.

Check Text ( C-38498r1_chk )

Verify all account passwords expire. The following are exempt from this requirement:
Built-in Administrator account
Application accounts
Domain accounts requiring smart card (CAC)

Using the DUMPSEC utility:

Select “Dump Users as Table” from the “Report” menu.
Select the available fields in the following sequence, and click on the “Add” button for each entry:

UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups

If any accounts, other than the exceptions noted, have a “No” in the “PswdExpires” column, then this is a finding.

Note: The following command can be used on Windows Active Directory if DumpSec cannot be run:

Open a Command Prompt.
Enter “Dsquery user -limit 0 | Dsget user -dn -pwdneverexpires”.
This will return a list of User Accounts with Yes/No for Pwdneverexpires.

If any accounts, other than the exceptions noted, have "Yes", then this is a finding.
The results can be directed to a text file by adding “> filename.txt” at the end of the command.

Documentable Explanation: Accounts meeting the requirements for allowable exceptions should be documented with the IAO.

Fix Text (F-6527r1_fix)
Configure all information systems to expire passwords.