UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.


Overview

Finding ID Version Rule ID IA Controls Severity
V-36662 WN12-00-000011 SV-51580r2_rule IAIA-1 Medium
Description
Setting application accounts to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack.
STIG Date
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide 2015-09-02

Details

Check Text ( C-46843r2_chk )
Determine if any system administrators with knowledge of application account passwords have left the organization within the last year.

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PwsdLastSetTime

If any application accounts listed that are manually managed and have a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators with knowledge of application account passwords have left the organization within the last year and the "PwsdLastSetTime" field reflects that application account passwords were not changed at that time, this is a finding.
Fix Text (F-44709r2_fix)
Change application/service account passwords that are manually managed and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.