SV-87969.md
---
scapolite:
class: rule
version: '0.51'
id: SV-87969
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The maximum password age must be configured to 60 days or less.
rule: <see below>
description: <see below>
applicability:
- system: org.scapolite.xccdf.applicability
weight: 10.0
selected: false
role: ''
severity: medium
implementations:
- relative_id: F-79759r1
description: <see below>
automations:
- system: org.scapolite.implementation.win_gpo
ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Password Policy\Maximum password age
value: 60
verification_status: Checked.
- system: org.scapolite.implementation.win_secedit
setting_name: MaximumPasswordAge
section: System Access
value: 60
checks:
- relative_id: C-73421r1
description: <see below>
- relative_id: '01'
title: OVAL-based check
description: <see below>
automations:
- system: http://oval.mitre.org/XMLSchema/oval-definitions-5
idref: oval:mil.disa.stig.windows:def:1015
href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
exports:
- value_id_namespace: mil.disa.Windows-Server-2016-STIG
value_idref: password_maximum_age_var
variable_idref: oval:mil.disa.stig.windows:var:101500
crossrefs:
- system: http://iase.disa.mil/cci
idref: CCI-000199
relation: ''
- system: http://cce.mitre.org
idref: CCE-44704-5
relation: ''
history:
- version: r1
action: created
description: WN16-AC-000050
internal_comment: ''
---
## /rule
The maximum password age must be configured to 60 days or less.
## /description
[**VulnDiscussion**]{.separator type='STIG'}
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.
[**Documentable**]{.separator type='STIG'}
false
## /implementations/0/description
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable).
## /checks/0/description
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.
If the value for the "Maximum password age" is greater than "60" days, this is a finding.
If the value is set to "0" (never expires), this is a finding.
## /checks/1/description
IASE supplies an OVAL check.