UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Application account passwords must meet DoD requirements for length, complexity and changes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14271 4.018 SV-25212r2_rule Medium
Description
Setting application accounts to expire may cause applications to stop functioning. The site will have a policy that application account passwords are changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords will be at least 15 characters and follow complexity requirements for all passwords.
STIG Date
Windows 7 Security Technical Implementation Guide 2018-02-12

Details

Check Text ( C-51773r1_chk )
The site should have a local policy to ensure that passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator that has knowledge of the password leaves the organization.

Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding.

Using the DUMPSEC utility:

Select "Dump Users as Table" from the "Report" menu.
Select the available fields in the following sequence, and click on the "Add" button for each entry:

UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups

If any application accounts listed in the Dumpsec user report have a date older than one year in the "PwsdLastSetTime" column, then this is a finding.
Fix Text (F-53555r1_fix)
Create application/service account passwords that are at least 15 characters in length and meet complexity requirements. Change application/service account passwords that are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.