PASSWORD_POLICY

This policy item checks for the values defined in “Windows Settings -> Security Settings -> Account Policies -> Password Policy”.

The check is performed by calling the function NetUserModalsGet with the level 1.

Usage

These items use the password_policy field to describe which element of the password policy must be audited. The allowed types are:

• ENFORCE_PASSWORD_HISTORY (“Enforce password history”)

  value_type: POLICY_DWORD

  value_data: DWORD or RANGE [number of remembered passwords]

• MAXIMUM_PASSWORD_AGE (“Maximum password age”)

  value_type: TIME_DAY

  value_data: DWORD or RANGE [time in days]

• MINIMUM_PASSWORD_AGE (“Minimum password age”)

  value_type: TIME_DAY

  value_data: DWORD or RANGE [time in days]

• MINIMUM_PASSWORD_LENGTH (“Minimum password length”)

  value_type: POLICY_DWORD

  value_data: DWORD or RANGE [minimum number of characters in the password]

• COMPLEXITY_REQUIREMENTS (“Password must meet complexity requirements”)

  value_type: POLICY_SET

  value_data: "Enabled" or "Disabled"

• REVERSIBLE_ENCRYPTION (“Store passwords using reversible encryption for all users in the domain”)

  value_type: POLICY_SET

  value_data: "Enabled" or "Disabled"

• FORCE_LOGOFF (“Network security: Force log off when log on hours expire”)

  value_type: POLICY_SET

  value_data: "Enabled" or "Disabled"

• LOCKOUT_ADMINS ("Allow Administrator account lockout")

  value_type: POLICY_SET

  value_data: "Enabled" or "Disabled"

Note: There is currently no way to check for the policy “Store password using reversible encryption for all users in the domain”.

The FORCE_LOGOFF policy is located in “Security Settings -> Local Policies -> Security Options”.

Example

The following is an example password policy audit: