Title

Users must be warned in advance of their passwords expiring. (Cat III impact)

Discussion

Creating strong passwords that can be remembered by users requires some thought. By giving the user advance warning, the user has time to construct a sufficiently strong password. This setting configures the system to display a warning to users telling them how many days are left before their password expires.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Interactive Logon: Prompt user to change password before expiration" is not set to "14" days or more, this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning Value Type: REG_DWORD Value: 14

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Prompt user to change password before expiration" to "14" days or more.

Additional Identifiers

Rule ID: SV-48061r1_rule

Vulnerability ID: V-1172

Group Title: Password Expiration Warning

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.