2.8 Set 'Password Expiration' to '90' or less

Information

You can configure this setting to specify how long before passwords expire and users must change them.

Rationale:

The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring this setting to 0 so that users are never required to change their passwords is a major security risk because doing so allows a compromised password to be used by a malicious user for as long as the valid user has authorized access to the system.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-MobileDeviceMailboxPolicy default -PasswordExpiration 90

See Also

https://workbench.cisecurity.org/files/1512

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(d)

Plugin: Windows

Control ID: 1ccdf3179aab47ef15e7e199fb289bd3788b4044ac111bc1211c623b176d67b6