CIS Compliance: Windows 10 - 1 Account Policies - 1.1 Password Policy

This section contains covers the Worklet that automatically applies the CIS recommendations for (1) Account Policies (1.1) Password Policy. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

PLEASE READ:
The following sections are broken down below. Most of these are configurable by the preference of the security admin, however, CIS has set recommendations as to how these settings should be configured. Automox has aligned the default settings in the remediation code to match these recommendations

1.1 Password Policies
1.1.1 Ensure ‘Enforce password history’ is set to '24 or more password(s)’
1.1.2 Ensure ‘Maximum password age’ is set to '60 or fewer days, but not 0’
1.1.3 Ensure ‘Minimum password age’ is set to '1 or more day(s)’
1.1.4 Ensure ‘Minimum password length’ is set to '14 or more character(s)’
1.1.5 Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’
1.1.6 Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’

1.1.1 Ensure ‘Enforce password history’ is set to 24 or more password(s) **
configurable

  • This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.

1.1.2 Ensure ‘Maximum password age’ is set to '60 or fewer days, but not 0 configurable

  • This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current

  • The recommended state for this setting is 60 or fewer days, but not 0. Admin will need to specify their own configuration

1.1.3 Ensure ‘Minimum password age’ is set to '1 or more day(s)’
configurable

  • This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.

  • The recommended state for this setting is: 1 or more day(s).

1.1.4 Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’
configurable

  • This policy setting determines the least number of characters that make up a password for a user account.

  • Pass phrases can be quite long and can include spaces. Therefore, a phrase such as “I want to drink a $5 milkshake” is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember.

  • The recommended state for this setting is: 14 or more character(s)

1.1.5 Ensure ‘Password must meet complexity requirements’ is set to 'Enabled

  • This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.

1.1.6 Ensure ‘Store passwords using reversible encryption’ is set to 'Disabled

  • This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user’s password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.

  • The recommended state for this setting is: Disabled.

The remediation code below automatically will set all of these settings when executed rom a Worklet across the endpoints. Be sure to configure any values you desire, or keep the defaults.

Remediation:

#Automatically implements the Account Policies -> Password Policies CIS recommended configuration for Windows 10 1809

#1.1 Password Policies
#1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)’
#1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0’
#1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)’
#1.1.4 Ensure 'Minimum password length' is set to '14 or more character(s)’
#1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Enabled'
#1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'

#AUTHOR 
#Adam Whitman


#change the password history to 24. Users cannot use the previous passwords used for user login
#the recommnded setting is 24 passwords logged by the password history 
	$pwhistory = 24
    net accounts /uniquepw:$pwhistory
    
#changes the password age in days before a new password must be configured by the user.
#The recommended state for this setting is 60 or fewer days, but not 0
    $maxpwagedays = 30
	net accounts /maxpwage:$maxpwagedays

#determines the number of days that you must use a password before you can change it.
#The recommended state for this setting is: 1 or more day(s).
    $minpwagedays = 1
    net accounts /minpwage:$minpwagedays


#determines the least number of characters that make up a password for a user account.
#The recommended state for this setting is: 14 or more character(s).
    $minpwlenchar = 14
    net accounts /minpwlen:$minpwlenchar


#enables password complexity requirements when user created new password 
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("PasswordComplexity", "PasswordComplexity = 1") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false


#disables Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("ClearTextPassword", "ClearTextPassword = 0") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false

That’s it, you should now have the Password Policy recommended by the CIS configured on your Windows endpoints!

1 Like

Here’s the blog post that goes along with this worklet:

1 Like