STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Member Server Security Technical Implementation Guide Version: 1 Release: 30 Benchmark Date: 26 Jul 2019: The built-in Windows password complexity policy must be enabled.

DISA Rule

SV-32298r2_rule

Vulnerability Number

V-1150

Group Title

Microsoft Strong Password Filtering

Rule Version

3.028

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the policy value for Computer Configuration -> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Account Policies >> Password Policy.

If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding.

Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.

Vulnerability Number

V-1150

Documentable

False

Rule Version

3.028

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Account Policies >> Password Policy.

If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding.

Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1823

Comments