System mechanisms will be implemented to enforce automatic expiration of passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6840 | 4.026 | SV-32269r1_rule | Medium |
| Description |
|---|
| Passwords that do not expire increase the exposure of a password with greater probability of being discovered or cracked. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Member Server Security Technical Implementation Guide | 2016-06-08 |
Details
| Check Text ( C-38498r1_chk ) |
|---|
| Verify all account passwords expire. The following are exempt from this requirement: Built-in Administrator account Application accounts Domain accounts requiring smart card (CAC) Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires PswdLastSetTime LastLogonTime AcctDisabled Groups If any accounts, other than the exceptions noted, have a “No” in the “PswdExpires” column, then this is a finding. Note: The following command can be used on Windows Active Directory if DumpSec cannot be run: Open a Command Prompt. Enter “Dsquery user -limit 0 | Dsget user -dn -pwdneverexpires”. This will return a list of User Accounts with Yes/No for Pwdneverexpires. If any accounts, other than the exceptions noted, have "Yes", then this is a finding. The results can be directed to a text file by adding “> filename.txt” at the end of the command. Documentable Explanation: Accounts meeting the requirements for allowable exceptions should be documented with the IAO. |
| Fix Text (F-6527r1_fix) |
|---|
| Configure all information systems to expire passwords. |