Title

SharePoint managed service accounts must be set to enable automatic password change. (Cat II impact)

Discussion

Passwords have a number of inherent risks. One method of minimizing this risk is to enforce the use of complex passwords. Another method is to enforce periodic password changes. If the information system does not limit the lifetime of passwords and force password changes, the system may be vulnerable to password attacks and may become compromised. This setting only enables automatic password changes for managed account. These accounts are in AD DS. The Windows server STIG guidance requires annual password changes for all service accounts.

Check Content

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Go through each service account to see if “Enable automatic password change” is checked. 4. Mark as a finding if “Enable automatic password change” is not checked.

Fix Text

1. In SharePoint Central Administration, click Security. 2. On the Security page, in the General Security list, click Configure managed accounts. 3. Edit setting for each managed account. 4. Select “Enable automatic password change”.

Additional Identifiers

Rule ID:

Vulnerability ID: V-28138

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.