Check: WN12-SO-000025
Microsoft Windows Server 2012/2012 R2 Domain Controller STIG:
WN12-SO-000025
(in versions v3 r7 through v2 r7)
Title
Users must be warned in advance of their passwords expiring. (Cat III impact)
Discussion
Creating strong passwords that can be remembered by users requires some thought. By giving the user advance warning, the user has time to construct a sufficiently strong password. This setting configures the system to display a warning to users telling them how many days are left before their password expires.
Check Content
If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning Value Type: REG_DWORD Value: 14 (or greater)
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Prompt user to change password before expiration" to "14" days or more.
Additional Identifiers
Rule ID: SV-226291r794589_rule
Vulnerability ID: V-226291
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |