Title

Application/service account passwords must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization. (Cat II impact)

Discussion

Setting application accounts to expire may cause applications to stop functioning. The site will have a policy for application account passwords manually generated and entered by a system administrator to be changed at least annually or when a system administrator with knowledge of the password leaves the organization. Application/service account passwords will be at least 15 characters and follow complexity requirements for all passwords.

Check Content

The site should have a local policy ensuring passwords for application/service accounts are at least 15 characters in length and meet complexity requirements for all passwords. Application/service account passwords manually generated and entered by a system administrator must be changed at least annually or whenever a system administrator with knowledge of the password leaves the organization. Interview the system administrators on their policy for application/service accounts. If it does not meet the above requirements, this is a finding.

Fix Text

Create application/service account passwords at least 15 characters in length and meet complexity requirements. Change of application/service account passwords are manually generated and entered by a system administrator at least annually or whenever an administrator with knowledge of the password leaves the organization.

Additional Identifiers

Rule ID: SV-37329r1_rule

Vulnerability ID: V-25378

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.