This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. Countermeasure: Configure the Maximum password age setting to a value that is suitable for your organization's business requirements. When configuring this setting you should also configure the Minimum password age to a value that makes sense in combination with this one. Potential Impact: If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age (2) REG: ### (3) WMI: ###

[maximum no of days]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age (2) REG: ### (3) WMI: ###