UCF STIG Viewer Logo

Application account passwords must meet DoD requirements for length, complexity and changes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14271 4.018 SV-32271r2_rule Medium
Description
Setting application accounts to expire may cause applications to stop functioning. The organization must have a policy that manually managed application account passwords are changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords must be at least 15 characters and follow complexity requirements for all passwords.
STIG Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide 2019-06-18

Details

Check Text ( C-78971r4_chk )
Determine if manually managed application/service accounts exist. If none exist, this is NA.

Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. It must also require the passwords be changed at least annually or when an administrator with knowledge of the password leaves the organization.

If such a policy does not exist or has not been implemented, this is a finding.

Identify manually managed application/service accounts.

To determine the date a password was last changed:

Domain controllers:

Open "Windows PowerShell" with elevated privileges (run as administrator).

Enter "Import-Module ActiveDirectory". (This only needs to be run once during a PowerShell session.)

Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account.

If the "PasswordLastSet" date is more than one year old, this is a finding.

Member servers and standalone systems:

Open "Windows PowerShell" or "Command Prompt".

Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account.

If the "Password Last Set" date is more than one year old, this is a finding.

Note: Other queries or tools may be used. The organization must be able to demonstrate the results are valid and meet the intent of the requirement.
Fix Text (F-86129r1_fix)
Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. It must also require the passwords be changed at least annually or when an administrator with knowledge of the password leaves the organization. Ensure the policy is enforced.

Windows automatically addresses passwords for Managed Service Accounts.