Title

Users must be warned in advance of their passwords expiring. (Cat III impact)

Discussion

Creating strong passwords that can be remembered by users requires some thought. By giving the user advance warning, the user has time to construct a sufficiently strong password. This setting configures the system to display a warning to users telling them how many days are left before their password expires.

Check Content

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning Value Type: REG_DWORD Value: 14 (or greater)

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Prompt user to change password before expiration" to "14" days or more.

Additional Identifiers

Rule ID:

Vulnerability ID: V-1172

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.