Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14271 | 4.018 | SV-29337r1_rule | IAIA-1 | Medium |
Description |
---|
Setting application accounts to expire may cause applications to stop functioning. The site will have a policy that application account passwords manually generated and entered by a system administrator are changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords will be at least 15 characters and follow complexity requirements for all passwords. |
STIG | Date |
---|---|
Windows 2008 Domain Controller Security Technical Implementation Guide | 2014-06-27 |
Check Text ( C-11762r1_chk ) |
---|
The site should have a local policy to ensure that passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator that has knowledge of the password leaves the organization. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding. Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires PswdLastSetTime LastLogonTime AcctDisabled Groups If any application accounts listed in the Dumpsec user report have a date older than one year in the “PwsdLastSetTime” column, then this is a finding. Note: The following command can be used on Windows 2003/2008 Active Directory if DumpSec cannot be run: Open a Command Prompt. Enter “Dsquery user -limit 0 -o rdn -stalepwd 365”. This will return a list of User Accounts with passwords older the one year. |
Fix Text (F-13613r1_fix) |
---|
Create application/service account passwords that are at least 15 characters in length and meet complexity requirements. Change application/service account passwords that are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization. |