3.1 Ensure 'Allow simple passwords' is set to 'False'

Information

This policy setting configures the use of strong passwords to unlock mobile devices before they can connect via ActiveSync to an Exchange server.

Rationale:

Allowing simple passwords can make it easier for an attacker to correctly guess them.

Impact:

Users will be forced to use strong passwords.

Note: This is a mobile device management setting. Use caution when applying these settings as they could have adverse effects depending on the environment, and internal policies around bring your own device (BYOD). These policies could affect a user's BYOD.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-MobileDeviceMailboxPolicy 'Profile' -AllowSimplePassword $false

OR

Perform the following actions:

Launch the EAC (Exchange Administrative Center).

Go to 'Mobile' on the left and click on the 'Mobile device mailbox policies' tab.

Double-click the policy you wish to modify and go to the 'Security' settings.

Ensure the Allow simple passwords box is not checked and click Save.

Default Value:

True

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Windows

Control ID: 6d3b12c8213479e1f513bd592b96a373d8bd353f496b5fac3943c2a5a9d2a7b2