Title

System mechanisms must be implemented to enforce automatic expiration of passwords. (Cat II impact)

Discussion

Passwords that do not expire increase exposure with a greater probability of being discovered or cracked.

Check Content

Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry. UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Built-in Administrator Account Application Accounts Accounts that meet the requirements for allowable exceptions must be documented with the ISSO.

Fix Text

Configure all passwords to expire. Ensure "Password never expires" is not checked on all accounts in Computer Management, Local Users and Groups. Document any exceptions with the ISSO.

Additional Identifiers

Rule ID: SV-25211r2_rule

Vulnerability ID: V-6840

Group Title: Password Expiration

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.