System mechanisms must be implemented to enforce automatic expiration of passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6840	4.026	SV-25211r2_rule	IAIA-1 IAIA-2	Medium

Description
Passwords that do not expire increase exposure with a greater probability of being discovered or cracked.

STIG	Date
Windows 7 Security Technical Implementation Guide	2015-09-02

Details

Check Text ( C-62081r1_chk )
Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry. UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Built-in Administrator Account Application Accounts Accounts that meet the requirements for allowable exceptions must be documented with the ISSO.

Check Text ( C-62081r1_chk )

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry.

UserName
SID
PswdExpires
AcctDisabled
Groups

If any accounts have "No" in the "PswdExpires" column, this is a finding.

The following are exempt from this requirement:
Built-in Administrator Account
Application Accounts

Accounts that meet the requirements for allowable exceptions must be documented with the ISSO.

Fix Text (F-66979r1_fix)
Configure all passwords to expire. Ensure "Password never expires" is not checked on all accounts in Computer Management, Local Users and Groups. Document any exceptions with the ISSO.