UCF STIG Viewer Logo

To the extent system capabilities permit, system mechanisms are not implemented to enforce automatic expiration of passwords and to prevent reuse.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6840 4.026 SV-29395r1_rule Medium
Description
Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.
STIG Date
Windows Vista Security Technical Implementation Guide 2017-01-30

Details

Check Text ( C-3230r1_chk )
Using the DUMPSEC utility:

Select “Dump Users as Table” from the “Report” menu.
Select the available fields in the following sequence, and click on the “Add” button for each entry:

UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups

If any accounts listed in the user report have a “No” in the “PswdExpires” column, then this is a finding.

Note: The following command can be used on Windows 2003/2008 Active Directory if DumpSec cannot be run:

Open a Command Prompt.
Enter “Dsquery user -limit 0 | Dsget user -dn -pwdneverexpires”.
This will return a list of User Accounts with Yes/No for Pwdneverexpires.

If any accounts have "Yes", then this is a finding.
The results can be directed to a text file by adding “> filename.txt” at the end of the command

The following are exempt from this requirement:
Built-in Administrator Account
Application Accounts

Documentable Explanation: Accounts that meet the requirements for allowable exceptions should be documented with the IAO.
Fix Text (F-6527r1_fix)
Configure all information systems to expire passwords.