WG060 IIS6 - The service account ID used to run the web service must have its password changed at least annually.

Information

Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The password on such accounts must be changed at least annually. It is a fundamental tenet of security that passwords are not to be null and not to be set to never expire.
Review the list of service accounts listed for the web server and ensure the passwords are changed annually.
For IIS or other web server installations that are running as localsystem, the password is changed automatically by the OS every 7 days.

Solution

Configure the service account ID used to run the web site to have its password changed at least annually.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2j., CAT|II, Rule-ID|SV-38189r1_rule, STIG-ID|WG060_IIS6, Vuln-ID|V-2235

Plugin: Windows

Control ID: dabd0d1d3d01e0a7b29d2aa0cc79add6c0f0c4df43626de0813fdfd65729ff00