Title

The built-in Microsoft password filter is not enabled. (Cat III impact)

Discussion

The use of complex passwords increases their strength against guessing. This policy setting configures the system to verify that newly-created passwords conform to the Windows password complexity policy.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Password Policy. If the value for “Password must meet complexity requirements” is not set to "Enabled", then this is a finding. Note: If the site is using a password filter that requires this setting be set to “Disabled” for the filter code to be used, then this would not be considered a finding. If this setting does not affect the use of an external password filter, it will be enabled for fall-back purposes.

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> “Password must meet complexity requirements” to "Enabled".

Additional Identifiers

Rule ID: SV-29682r1_rule

Vulnerability ID: V-1150

Group Title: Microsoft Strong Password Filtering

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.