1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'

Information

This policy setting defines how long a user can use their password before it expires.

Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire.

Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.

The recommended state for this setting is 60 or fewer days, but not 0.

Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.

Note #2: The recommended CIS state for this setting is 365 or fewer days, but not 0 which differs from the STIG recommended state.

Rationale:

The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access.


Impact:

If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts.

Solution

To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age

Default Value:

42 days.

Additional Information:

Microsoft Windows Server 2016 Security Technical Implementation Guide:
Version 2, Release 2, Benchmark Date: May 04, 2021

Vul ID: V-224870
Rule ID: SV-224870r569186_rule
STIG ID: WN16-AC-000050
Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476