Check: 3.028
Windows Vista STIG:
3.028
(in versions v6 r42 through v6 r41)
Title
The built-in Windows password complexity policy must be enabled. (Cat II impact)
Discussion
The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least 3 of the 4 types of characters (numbers, upper- and lower-case letters, and special characters), as well as preventing the inclusion of user names or parts of.
Check Content
Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Account Policies >> Password Policy. If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".
Additional Identifiers
Rule ID: SV-29684r2_rule
Vulnerability ID: V-1150
Group Title: Microsoft Strong Password Filtering
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
Controls
| Number | Title |
|---|---|
| IA-5 (1) |
Password-Based Authentication |