Skip to main content

Browse the archive

Raw File
SV-87969.md 
---
scapolite:
    class: rule
    version: '0.51'
id: SV-87969
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The maximum password age must be configured to 60 days or less.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-79759r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Account
            Policies\Password Policy\Maximum password age
        value: 60
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: MaximumPasswordAge
        section: System Access
        value: 60
checks:
  - relative_id: C-73421r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1015
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
        exports:
          - value_id_namespace: mil.disa.Windows-Server-2016-STIG
            value_idref: password_maximum_age_var
            variable_idref: oval:mil.disa.stig.windows:var:101500
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-000199
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-44704-5
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-AC-000050
    internal_comment: ''
---


## /rule

The maximum password age must be configured to 60 days or less.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable).

## /checks/0/description

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.

If the value for the "Maximum password age" is greater than "60" days, this is a finding.

If the value is set to "0" (never expires), this is a finding.

## /checks/1/description

IASE supplies an OVAL check.
back to top