Domain member: Maximum machine account password ageID: oval:org.secpod.oval:def:8812 | Date: (C)2013-01-21 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
The Domain member: Maximum machine account password age setting should be configured correctly.
This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age
(2) KEY: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
Platform: |
Microsoft Windows Server 2008 R2 |