STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

Windows 2012/2012 R2 passwords must be configured to expire.

DISA Rule

SV-226247r569184_rule

Vulnerability Number

V-226247

Group Title

SRG-OS-000076-GPOS-00044

Rule Version

WN12-GE-000016

Severity

CAT II

CCI(s)

• CCI-000199 - The information system enforces maximum password lifetime restrictions.

Weight

10

Fix Recommendation

Configure all enabled user account passwords to expire.

Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.

Check Contents

Review the password never expires status for enabled user accounts.

Open "Windows PowerShell" with elevated privileges (run as administrator).

Domain Controllers:

Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled".

Exclude application accounts and disabled accounts (e.g., Guest).
Domain accounts requiring smart card (CAC/PIV) may also be excluded.

If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding.

Member servers and standalone systems:

Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'.

Exclude application accounts and disabled accounts (e.g., Guest).

If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.

Vulnerability Number

V-226247

Documentable

False

Rule Version

WN12-GE-000016

Severity Override Guidance

Review the password never expires status for enabled user accounts.

Open "Windows PowerShell" with elevated privileges (run as administrator).

Domain Controllers:

Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled".

Exclude application accounts and disabled accounts (e.g., Guest).
Domain accounts requiring smart card (CAC/PIV) may also be excluded.

If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding.

Member servers and standalone systems:

Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'.

Exclude application accounts and disabled accounts (e.g., Guest).

If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.

Check Content Reference

M

Target Key

4217

Comments