20.46 Ensure 'Passwords are configured to expire'

Information

This policy setting ensures that all passwords for accounts are configured to expire.

Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.

Solution

Configure all enabled user account passwords to expire.

Domain Controllers:

- Open

Active Directory Users and Computers

- Uncheck Password never expires for all enabled user accounts

Member servers and standalone systems

- Open

Computer Management

- Go to

Users

- Uncheck Password never expires for all enabled user accounts

Note: Document any exceptions with the ISSO.

Impact:

All password will be configured to expire.

See Also

https://workbench.cisecurity.org/benchmarks/15105