Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
System mechanisms will be implemented to enforce automatic expiration of passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6840 | 4.026 | SV-32269r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Passwords that do not expire increase the exposure of a password with greater probability of being discovered or cracked. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2012-09-05 |
Details
| Check Text ( C-38498r1_chk ) |
|---|
| Verify all account passwords expire. The following are exempt from this requirement: Built-in Administrator account Application accounts Domain accounts requiring smart card (CAC) Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires PswdLastSetTime LastLogonTime AcctDisabled Groups If any accounts, other than the exceptions noted, have a “No” in the “PswdExpires” column, then this is a finding. Note: The following command can be used on Windows Active Directory if DumpSec cannot be run: Open a Command Prompt. Enter “Dsquery user -limit 0 | Dsget user -dn -pwdneverexpires”. This will return a list of User Accounts with Yes/No for Pwdneverexpires. If any accounts, other than the exceptions noted, have "Yes", then this is a finding. The results can be directed to a text file by adding “> filename.txt” at the end of the command. Documentable Explanation: Accounts meeting the requirements for allowable exceptions should be documented with the IAO. |
| Fix Text (F-6527r1_fix) |
|---|
| Configure all information systems to expire passwords. |