STIGQter: STIG Summary: Microsoft Lync 2013 STIG Version: 1 Release: 4 Benchmark Date: 27 Apr 2018:

The ability of Lync to store user passwords must be disabled.

DISA Rule

SV-52834r1_rule

Vulnerability Number

V-40776

Group Title

DTOO420 - Store user passwords

Rule Version

DTOO420

Severity

CAT II

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" to "Disabled".

Check Contents

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled".

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKLM\Software\Policies\Microsoft\office\15.0\lync

Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.

Vulnerability Number

V-40776

Documentable

False

Rule Version

DTOO420

Severity Override Guidance

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled".

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKLM\Software\Policies\Microsoft\office\15.0\lync

Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

2488

Comments