TOC & Recently Viewed

Recently Viewed Topics

PASSWORD_POLICY

This policy item checks for the values defined in “Windows Settings -> Security Settings -> Account Policies -> Password Policy”.

The check is performed by calling the function NetUserModalsGet with the level 1.

Usage

<custom_item>

type: PASSWORD_POLICY

description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

(optional) check_type: [value]

password_policy: [PASSWORD_POLICY_TYPE]

</custom_item>

These items use the password_policy field to describe which element of the password policy must be audited. The allowed types are:

  • ENFORCE_PASSWORD_HISTORY (“Enforce password history”)

    value_type: POLICY_DWORD

    value_data: DWORD or RANGE [number of remembered passwords]

  • MAXIMUM_PASSWORD_AGE (“Maximum password age”)

    value_type: TIME_DAY

    value_data: DWORD or RANGE [time in days]

  • MINIMUM_PASSWORD_AGE (“Minimum password age”)

    value_type: TIME_DAY

    value_data: DWORD or RANGE [time in days]

  • MINIMUM_PASSWORD_LENGTH (“Minimum password length”)

    value_type: POLICY_DWORD

    value_data: DWORD or RANGE [minimum number of characters in the password]

  • COMPLEXITY_REQUIREMENTS (“Password must meet complexity requirements”)

    value_type: POLICY_SET

    value_data: "Enabled" or "Disabled"

  • REVERSIBLE_ENCRYPTION (“Store passwords using reversible encryption for all users in the domain”)

    value_type: POLICY_SET

    value_data: "Enabled" or "Disabled"

  • FORCE_LOGOFF (“Network security: Force logoff when logon hours expire”)

    value_type: POLICY_SET

    value_data: "Enabled" or "Disabled"

Note: There is currently no way to check for the policy “Store password using reversible encryption for all users in the domain”.

The FORCE_LOGOFF policy is located in “Security Settings -> Local Policies -> Security Options”.

Example

The following is an example password policy audit:

<custom_item>

type: PASSWORD_POLICY

description: "Minimum password length"

value_type: POLICY_DWORD

value_data: 7

password_policy: MINIMUM_PASSWORD_LENGTH

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.