STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Member Server Security Technical Implementation Guide Version: 1 Release: 30 Benchmark Date: 26 Jul 2019: The maximum age for machine account passwords will be set to requirements.

DISA Rule

SV-32321r1_rule

Vulnerability Number

V-3373

Group Title

Maximum Machine Account Password Age

Rule Version

4.043

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Domain Member: Maximum Machine Account Password Age” to 30 or less, but not 0.

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for “Domain Member: Maximum Machine Account Password Age” is 0 or greater than 30 (30 is the default), this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\

Value Name: MaximumPasswordAge

Value Type: REG_DWORD
Value: 30

Vulnerability Number

V-3373

Documentable

False

Rule Version

4.043

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for “Domain Member: Maximum Machine Account Password Age” is 0 or greater than 30 (30 is the default), this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\

Value Name: MaximumPasswordAge

Value Type: REG_DWORD
Value: 30

Check Content Reference

M

Third-Party Tools

HK

Responsibility

System Administrator

Target Key

1823

Comments