Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.

From Active Directory Domain Security Technical Implementation Guide (STIG)

Associated with IA controls: IAIA-1

Associated with: CCI-000199

SV-56889r2_rule Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.

Vulnerability discussion

NT hashes of passwords for accounts that are not changed regularly are susceptible to reuse by attackers using Pass-the-Hash. Windows service \ application account passwords are not typically changed for longer periods of time to ensure availability of the applications. If a service \ application also has administrative privileges it will provide elevated access if compromised.

Check content

If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA. Verify Windows service \ application accounts with administrative privileges and manually managed passwords, have passwords changed at least every 60 days.

Fix text

If no Windows service \ application accounts with manually managed passwords have administrative privileges, this is NA. Change passwords for Windows service \ application accounts with administrative privileges and manually managed passwords, at least every 60 days.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.