Title

Reversible password encryption must be disabled. (Cat I impact)

Discussion

Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Password Policy. If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Store password using reversible encryption" to "Disabled".

Additional Identifiers

Rule ID: SV-48064r1_rule

Vulnerability ID: V-2372

Group Title: Reversible Password Encryption

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.