2.7 Set 'Enforce Password History' to '4' or greater

Information

Retaining the password history ensures that old passwords will not be reused within a reasonable timeframe.

Rationale:

The longer a user uses the same password, the greater the chance that an attacker can determine the password through a brute force attack. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this setting, users will be able to use the same small number of passwords repeatedly.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-MobileDeviceMailboxPolicy <Profile> -PasswordHistory 4

See Also

https://workbench.cisecurity.org/files/1514

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e)

Plugin: Windows

Control ID: 737a91e70a6c3b5916415b9548c3e2810aace0f33971bae122e352e23e5d62ca