3.3 Ensure 'Enforce password history' is set to '4' or greater

Information

This policy setting configures the device password history.

Rationale:

The longer a user uses the same password, the greater the chance that an attacker can determine the password through a brute force attack. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this setting, users will be able to use the same small number of passwords repeatedly.

Impact:

Users will be required to create a new unique password every time it needs to be changed.

Note: This is a mobile device management setting. Use caution when applying these settings as they could have adverse effects depending on the environment, and internal policies around bring your own device (BYOD). These policies could affect a user's BYOD.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-MobileDeviceMailboxPolicy 'Profile' -PasswordHistory 4

OR

Perform the following actions:

Launch the EAC (Exchange Administrative Center).

Go to 'Mobile' on the left and click on the 'Mobile device mailbox policies' tab.

Double-click the policy you wish to modify and go to the 'Security' settings.

Change the Password recycle count to 4 and click Save.

Default Value:

0

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Windows

Control ID: ed9ed3b2042ae14372a041aac76a008614cdc36c2a0827816789bae95acaeb83