Back to search

CIFS Account Password Never Expires

Severity CVSS Published Added Modified
7 (AV:N/AC:M/Au:N/C:P/I:P/A:P) November 01, 2004 November 01, 2004 July 12, 2012

Description

The CIFS account does not require password expiration. This is a security risk. Having no password expiration allows a hacker to launch a brute force attack to guess the user's password. This can be done with greater success over a prolonged period of time if the password never expires.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

Solution

  • Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition, Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008 Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008, Microsoft Windows Server 2012, Microsoft Windows Server 2012 Essentials Edition, Microsoft Windows Server 2012 Standard Edition, Microsoft Windows Server 2012 Datacenter Edition, Microsoft Windows Server 2012 Foundation Edition, Microsoft Windows Storage Server 2012, Microsoft Windows 7, Microsoft Windows 7 Home, Basic Edition, Microsoft Windows 7 Home, Basic N Edition, Microsoft Windows 7 Home, Premium Edition, Microsoft Windows 7 Home, Premium N Edition, Microsoft Windows 7 Ultimate Edition, Microsoft Windows 7 Ultimate N Edition, Microsoft Windows 7 Enterprise Edition, Microsoft Windows 7 Enterprise N Edition, Microsoft Windows 7 Professional Edition, Microsoft Windows 7 Starter Edition, Microsoft Windows 7 Starter N Edition, Microsoft Windows Embedded Standard 7, Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 R2, Enterprise Edition, Microsoft Windows Server 2008 R2, Standard Edition, Microsoft Windows Server 2008 R2, Datacenter Edition, Microsoft Windows Server 2008 R2, Web Edition, Microsoft Windows 8, Microsoft Windows 8 Enterprise Edition, Microsoft Windows 8 Professional Edition, Microsoft Windows RT

    Set the password expiration for Windows Vista/2008 and newer

    1. Open the Windows Control Panel.
    2. Select "Administrative Tools".
    3. To change the domain-wide lockout policy, select "Domain Security Policy" (or "Domain Controller Security Policy" if the computer is a Domain Controller). Otherwise, to change the policy for this computer only, select "Local Security Policy."
    4. Expand the "Account Policies" folder and select "Password Policy".
    5. Set the Maximum Password Age. This setting enforces the maximum length of time before a password must be changed. A value between 30 and 90 days is recommended.
    6. Restart the system for the changes to take effect.

  • Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003

    Set the password expiration for Windows 2000/2003

    If the account is not used, delete or disable the account. If the account is a built-in system account such as the IUSR_ or IWAM_ accounts, enable the "User cannot change password" option to stop this vulnerability from being reported (Microsoft best practices dictate that built-in system accounts NOT be allowed to change their own passwords). Otherwise, ensure that the password expires by disabling the "Password never expires" option.

    1. Open the "Administrative Tools" control panel
    2. Click on "Active Directory Users and Computers"
    3. Double-click on the desired user
    4. Click on the "Account" tab
    5. Uncheck "Password never expires".

  • Microsoft Windows 2000 Professional, Microsoft Windows XP Professional

    Set the password expiration for Windows XP/2000

    If the account is not used, delete or disable the account. If the account is a built-in system account such as the IUSR_ or IWAM_ accounts, enable the "User cannot change password" option to stop this vulnerability from being reported (Microsoft best practices dictate that built-in system accounts NOT be allowed to change their own passwords). Otherwise, ensure that the password expires by disabling the "Password never expires" option.

    1. Right click on "My Computer"
    2. Select "Manage"
    3. Open the "Local Users and Groups" folder
    4. Open the "Users" folder
    5. Double-click on the desired user
    6. Uncheck "Password never expires"

  • Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition

    Set the password expiration for Windows NT

    If the account is not used, delete or disable the account. If the account is a built-in system account such as the IUSR_ or IWAM_ accounts, enable the "User cannot change password" option to stop this vulnerability from being reported (Microsoft best practices dictate that built-in system accounts NOT be allowed to change their own passwords). Otherwise, ensure that the password expires by disabling the "Password never expires" option.

    1. Click on the "Start" button from the Task Bar
    2. Select "Programs"
    3. Select "Administrative Tools"
    4. Select "User Manager"
    5. Double-click on the desired user
    6. Uncheck "Password never expires"