JavaScript Disabled

We recommend that you change the JavaScript settings in your web browser.

In order to access certain pages and features of the Rapid7 site, JavaScript needs to be enabled. Please see this message on
How to enable JavaScript.

Once you have enabled JavaScript, reload the page.

Nexpose Vulnerability Database

Search Hints

Try searching for a product or vendor.
Only vulnerabilities that match all search terms will be returned.
Enclose search terms in double quotes for an exact search.
For CVE searches, only enter the CVE-YYYY-XXXX code.

Get Nexpose now

Search vulnerabilities with Rapid7's vulnerability management solution

FREE DOWNLOAD

CIFS Account Password Never Expires

Severity	CVSS	Published	Added	Modified
Severe (7)	6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)	Nov 1, 2004	Nov 1, 2004	Jan 28, 2011

Description:

The CIFS account does not require password expiration. This is a security risk. Having no password expiration allows a hacker to launch a brute force attack to guess the user's password. This can be done with greater success over a prolonged period of time if the password never expires.

Vulnerability Management

Get your solution now

FREE DOWNLOAD

Solution:

Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition, Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008 Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008
Set the password expiration
1. Open the Windows Control Panel.
2. Select "Administrative Tools".
3. To change the domain-wide lockout policy, select "Domain Security Policy" (or "Domain Controller Security Policy" if the computer is a Domain Controller). Otherwise, to change the policy for this computer only, select "Local Security Policy."
4. Expand the "Account Policies" folder and select "Password Policy".
5. Set the Maximum Password Age. This setting enforces the maximum length of time before a password must be changed. A value between 30 and 90 days is recommended.
6. Restart the system for the changes to take effect.
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003
Set the password expiration

If the account is not used, delete or disable the account. If the account is a built-in system account such as the IUSR_ or IWAM_ accounts, enable the "User cannot change password" option to stop this vulnerability from being reported (Microsoft best practices dictate that built-in system accounts NOT be allowed to change their own passwords). Otherwise, ensure that the password expires by disabling the "Password never expires" option.
1. Open the "Administrative Tools" control panel
2. Click on "Active Directory Users and Computers"
3. Double-click on the desired user
4. Click on the "Account" tab
5. Uncheck "Password never expires".
Microsoft Windows 2000 Professional, Microsoft Windows XP Professional
Set the password expiration

If the account is not used, delete or disable the account. If the account is a built-in system account such as the IUSR_ or IWAM_ accounts, enable the "User cannot change password" option to stop this vulnerability from being reported (Microsoft best practices dictate that built-in system accounts NOT be allowed to change their own passwords). Otherwise, ensure that the password expires by disabling the "Password never expires" option.
1. Right click on "My Computer"
2. Select "Manage"
3. Open the "Local Users and Groups" folder
4. Open the "Users" folder
5. Double-click on the desired user
6. Uncheck "Password never expires"
Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
Set the password expiration

If the account is not used, delete or disable the account. If the account is a built-in system account such as the IUSR_ or IWAM_ accounts, enable the "User cannot change password" option to stop this vulnerability from being reported (Microsoft best practices dictate that built-in system accounts NOT be allowed to change their own passwords). Otherwise, ensure that the password expires by disabling the "Password never expires" option.
1. Click on the "Start" button from the Task Bar
2. Select "Programs"
3. Select "Administrative Tools"
4. Select "User Manager"
5. Double-click on the desired user
6. Uncheck "Password never expires"

Download Nexpose

Download our vulnerability management solution, Nexpose, for free today. Scan 100% of your infrastructure for vulnerabilities, understand your risk exposure, compare and prioritize your vulnerabilities and verify that they are remediated.

Previous Next