Title

Users are not warned in advance that their passwords will expire. (Cat III impact)

Discussion

This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Interactive Logon: Prompt user to change password before expiration” is not set to “14" days or more, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: PasswordExpiryWarning Value Type: REG_DWORD Value: 14

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive Logon: Prompt user to change password before expiration” to “14” days or more.

Additional Identifiers

Rule ID: SV-1172r1_rule

Vulnerability ID: V-1172

Group Title: Password Expiration Warning

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.