Detections
Analytics

2.3.6.4 Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'

Information

This policy setting determines whether a domain member can periodically change its computer account password.

The recommended state for this setting is: Disabled.

If a system does not change their password, there are security risks because the security channel is used for pass-through authentication. If a threat actor discovers a password, the actor can potentially perform pass-through authentication to the domain controller.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes

Impact:

None - this is the default behavior.

Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations.

See Also

https://workbench.cisecurity.org/benchmarks/25708

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1)

Plugin: Windows

Control ID: f264eeb9abccb82a730d887610d1e09e219de8078504c3070056680562d7a736