Back

Configure the "Password Expiration" to organizational standards.


CONTROL ID
08576
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards., CC ID: 07621

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Configure the "Password Expiration" setting to "90". (E25FCF4E-3E46-4FA6-8A77-B5EE94918AC5, Exchange2007SP3 CAS Services Security, 1.0)
  • Configure the "Password Expiration" setting to "90". (E356D51A-E9D1-4FBA-8FCF-99C301F15FFA, Exchange2010SP2 CAS Services Security, 1.0)
  • Ensure password expiration is 365 days or less Description: The `PASS_MAX_DAYS` parameter in `/etc/login.defs` allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the `PASS_MAX_DAYS` parameter be set to less than or equal to 365 days. _Notes:_ -… (5.5.1.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure password expiration is 365 days or less Description: The `PASS_MAX_DAYS` parameter in `/etc/login.defs` allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the `PASS_MAX_DAYS` parameter be set to less than or equal to 365 days. _Notes:_ -… (5.5.1.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Title: Set Password Expiration Days Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days. Rationale: The window of… (Rule: xccdf_org.cisecurity.benchmarks_rule_7.1.1_Set_Password_Expiration_Days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_7.1.1.1_password.expirationlength, The Center for Internet Security CentOS 6 Level 1 Benchmark, 1.0.0)
  • Title: Set Password Expiration Days Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days. Rationale: The window … (Rule:xccdf_org.cisecurity.benchmarks_rule_7.1.1_Set_Password_Expiration_Days Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_7.1.1.1_password.expirationlength, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
  • Title: Set Password Expiration Days Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days. Rationale: The window … (Rule:xccdf_org.cisecurity.benchmarks_rule_7.1.1_Set_Password_Expiration_Days Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_7.1.1.1_password.expirationlength, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
  • Title: Set Password Expiration Days Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days. Rationale: The w… (Rule: xccdf_org.cisecurity.benchmarks_rule_10.1.1_Set_Password_Expiration_Days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_10.1.1.1_password.expirationlength, The Center for Internet Security Ubuntu 12.04 LTS Level 1 Benchmark, v1.0.0)
  • Title: Set Password Expiration Days Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days. Rationale: The w… (Rule: xccdf_org.cisecurity.benchmarks_rule_10.1.1_Set_Password_Expiration_Days Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_10.1.1.1_password.expirationlength, The Center for Internet Security Ubuntu 12.04 LTS Level 2 Benchmark, v1.0.0)
  • Ensure password expiration is 365 days or less Description: The `PASS_MAX_DAYS` parameter in `/etc/login.defs` allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the `PASS_MAX_DAYS` parameter be set to less than or equal to 365 days. Rationale:… (5.5.1.1, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure password expiration is 365 days or less Description: The `PASS_MAX_DAYS` parameter in `/etc/login.defs` allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the `PASS_MAX_DAYS` parameter be set to less than or equal to 365 days. Rationale:… (5.5.1.1, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Verify that time-based OTPs have a defined lifetime before expiring. (2.8.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • The "Password Expiration" setting should be configured correctly. Technical Mechanisms: (1) Powershell: Get-ExchangeConfiguration -configType PasswordExpiration |Select-Object -Property SettingData Parameters: 1:00:00:00 - 730:00:00:00 Days References: Microsoft Tool: Security Compliance… (CCE-19349-0, Common Configuration Enumeration List, Combined XML: Microsoft Exchange 2007, 5.20130214)
  • The "Password Expiration" setting should be configured correctly. Technical Mechanisms: (1) Powershell: Get-ExchangeConfiguration -configType PasswordExpiration |Select-Object -Property SettingData Parameters: 1:00:00:00 - 730:00:00:00 Days References: Microsoft Tool: Security Compliance… (CCE-19215-3, Common Configuration Enumeration List, Combined XML: Microsoft Exchange Server 2010, 5.20130214)
  • 10 days, when sent to a postal address of record within the contiguous United States; (4.4.1.6 5.e.i, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • The CSP MAY provide an enrollment code directly to the subscriber if binding to an authenticator will occur at a later time. The enrollment code SHALL be valid for a maximum of 7 days. (4.5.6 4, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • 24 hours, when sent to an email address of record. (4.4.1.6 5.e.iv, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • 10 minutes, when sent to a telephone of record (SMS or voice); (4.4.1.6 5.e.iii, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • 30 days, when sent to a postal address of record outside the contiguous United States; (4.4.1.6 5.e.ii, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • The enrollment code SHALL be valid for a maximum of 7 days. (4.4.1.6 4.c, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Shall not be set to never expire, and [IA-5 (CE1(d))] (REQUIREMENTS 2.4.2., Standard 630S1: Authenticator Management, 630S1-02)