Title

The computer account password must not be prevented from being reset. (Cat III impact)

Discussion

Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. A new password for the computer account will be generated every 30 days.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Domain Member: Disable Machine Account Password Changes" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange Value Type: REG_DWORD Value: 0

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain Member: Disable Machine Account Password Changes" to "Disabled".

Additional Identifiers

Rule ID: SV-48057r1_rule

Vulnerability ID: V-1165

Group Title: Computer Account Password Reset

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.