Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6840 | WN12-GE-000016 | SV-52939r3_rule | Medium |
Description |
---|
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked. |
STIG | Date |
---|---|
Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide | 2017-06-09 |
Check Text ( C-47245r4_chk ) |
---|
Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Application Accounts Domain accounts requiring smart card (CAC/PIV) The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag: Search-ADAccount -PasswordNeverExpires -UsersOnly |
Fix Text (F-45865r2_fix) |
---|
Configure all passwords to expire. Ensure "Password never expires" is not checked on any accounts. Document any exceptions with the ISSO. |