Title

Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days. (Cat II impact)

Discussion

NT hashes of passwords for accounts that are not changed regularly are susceptible to reuse by attackers using Pass-the-Hash. Windows service \ application account passwords are not typically changed for longer periods of time to ensure availability of the applications. If a service \ application also has administrative privileges it will provide elevated access if compromised.

Check Content

If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA. Verify Windows service \ application accounts with administrative privileges and manually managed passwords, have passwords changed at least every 60 days.

Fix Text

If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA. Change passwords for Windows service \ application accounts with administrative privileges and manually managed passwords, at least every 60 days.

Additional Identifiers

Rule ID: SV-243474r954038_rule

Vulnerability ID: V-243474

Group Title: SRG-OS-000076

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.