Detections
Analytics
1.1.5 Ensure 'Password Policy' is enabled
Information
Enforces the Enterprise Password Policy by setting compliant local password requirements for the security applianceRationale:
The password policy helps to prevent unauthorized accesses by enforcing the password for more complexity and making them difficult to be guessed. This applies to the local database.
Impact:
Excessive password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other.10 In these cases, the next password can be predicted based on the previous one (incrementing a number used in the password for example). Also, password expiration requirements offer no containment benefits because attackers will often use credentials as soon as they compromise them. Instead, immediate password changes should be based on key events including, but not limited to: - Indication of compromise - Change of user roles - When a user leaves the organization. Not only does changing passwords every few weeks or months frustrate the user, it's been suggested that it does more harm than good, because it could lead to bad practices by the user such as adding a character to the end of their existing password. In addition, we also recommend a yearly password change. This is primarily because for all their good intentions users will share credentials across accounts. Therefore, even if a breach is publicly identified, the user may not see this notification, or forget they have an account on that site. This could leave a shared credential vulnerable indefinitely. Having an organizational policy of a 1-year (annual) password expiration is a reasonable compromise to mitigate this with minimal user burden.
Solution
Step 1: Run the following to set the password lifetime in days to less than or equal to 365hostname(config)#password-policy lifetime 365
Step 2: Run the following to set the minimum number of characters that must be changed between the old and the new passwords, to be to be greater than or equal to 14
hostname(config)#password-policy minimum-changes 14
Step 3: Run the following to set the minimum number of upper case characters in the password, to be to be greater than or equal to 1
hostname(config)#password-policy minimum-uppercase 1
Step 4: Run the following to set the minimum number of lower case characters in the password, to be to be greater than or equal to 1
hostname(config)#password-policy minimum-lowercase 1
Step 5: Run the following to set the minimum number of numeric characters in the password, to be greater than or equal to 1
hostname(config)#password-policy minimum-numeric 1
Step 6: Run the following to set the minimum number of special characters in the password, to be greater than or equal to 1
hostname(config)#password-policy minimum-special 1
Step 7: Run the following to set the password minimum length, to be greater than or equal to 14
hostname(config)#password-policy minimum-length 14
Default Value:
Password policy is disabled by default.
The following are default values:
password-policy lifetime 0 password-policy minimum-changes 0 password-policy minimum-length 3 password-policy minimum-uppercase 0 password-policy minimum-lowercase 0 password-policy minimum-numeric 0 password-policy minimum-special 0
See Also
Item Details
Audit Name: CIS Cisco ASA 9.x Firewall L1 v1.1.0
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION
References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), 800-53|AC-3, 800-53|IA-4, 800-53|IA-5, 800-53|IA-5(1), CSCv7|4.4
Plugin: Cisco
Control ID: 4bd144f3c2710fdbaeab83da2944989bcadd3e3ad06feddb81cf918a5b9dda1a