CCE-26057-0Platform: cpe:/o:microsoft:windows_server_2012:- | Date: (C)2022-08-12 (M)2023-07-04 |
When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.
Countermeasure:
Enable this setting.
Potential Impact:
Users must change their device password with the frequency specified.
Parameter:
[enabled/disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd!PwdExpirationProtectionEnabled
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:82891 |