Title

Reversible password encryption must be disabled. (Cat II impact)

Discussion

Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Account Policies >> Password Policy. If the value for "Store password using reversible encryption" is not disabled, this is a finding.

Fix Text

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store password using reversible encryption" to "Disabled".

Additional Identifiers

Rule ID: SV-25013r2_rule

Vulnerability ID: V-2372

Group Title: Reversible Password Encryption

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.