2.3.7.7 Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'

Information

This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire.

The recommended state for this setting is: between 5 and 14 days

It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections.

Solution

To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration

Impact:

Users will see a dialog box prompt to change their password each time that they log on to the domain when their password is configured to expire between 5 and 14 days.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: Windows

Control ID: 9935e2e1d62db5a2751a2c4d19a5ee369e82741eee34b7a8ec89a960b712ed5b