Check: SHPT-00-000600
MS SharePoint 2010 STIG:
SHPT-00-000600
(in version v1 r9)
Title
SharePoint managed service accounts must be set to enable automatic password change. (Cat II impact)
Discussion
Passwords have a number of inherent risks. One method of minimizing this risk is to enforce the use of complex passwords. Another method is to enforce periodic password changes. If the information system does not limit the lifetime of passwords and force password changes, the system may be vulnerable to password attacks and may become compromised. This setting only enables automatic password changes for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts.
Check Content
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Go through each service account to see if “Enable automatic password change” is checked. 4. Mark as a finding if “Enable automatic password change” is not checked.
Fix Text
1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Edit setting for each managed account. 4. Select “Enable automatic password change”.
Additional Identifiers
Rule ID: SV-37784r2_rule
Vulnerability ID: V-28138
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |