System mechanisms must be implemented to enforce automatic expiration of passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6840	WN12-GE-000016	SV-52939r3_rule		Medium

Description
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.

STIG	Date
Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide	2017-02-27

Details

Check Text ( C-47245r4_chk )
Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Application Accounts Domain accounts requiring smart card (CAC/PIV) The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag: Search-ADAccount -PasswordNeverExpires -UsersOnly

Check Text ( C-47245r4_chk )

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PswdExpires
AcctDisabled
Groups

If any accounts have "No" in the "PswdExpires" column, this is a finding.

The following are exempt from this requirement:
Application Accounts
Domain accounts requiring smart card (CAC/PIV)

The following PowerShell command may be used on domain controllers to list accounts with the Password Never Expires flag:
Search-ADAccount -PasswordNeverExpires -UsersOnly

Fix Text (F-45865r2_fix)
Configure all passwords to expire. Ensure "Password never expires" is not checked on any accounts. Document any exceptions with the ISSO.