Password Expiration check

Applies To: Forefront Client Security

The Password Expiration SSA check determines whether any local accounts have passwords that do not expire. You should change passwords regularly to help thwart password attacks.

A local account that has a setting of Password never expires overrides the Maximum Password Age setting in the Password policy in Group Policy, thereby enabling a user to keep the same password forever.

Also, the Password never expires setting overrides the User must change password at next logon setting. When users are assigned new passwords by administrators or help desk representatives, it is good practice to set the User must change password at next logon option to ensure that the user sets a new password.

Resolutions for potentially unacceptable scores

It is recommended that you examine any local accounts that appear in SSA-related reports as having passwords that do not expire. Determine why the account is configured to have a password that does not expire. If the reason is not acceptable according to your organization's security standards, configure the account to have an expiring password and consider changing the account password immediately.

There are exceptions to this check. Do not remove the Password never expires settings for the following accounts, because doing so can break application and server functionality:

  • IUSR_*

  • IWAM_*

  • SUPPORT_*

  • SMSCli*

  • ACTUser

  • ASPNET

  • SQLDebugger

  • HelpAssistant

  • TSInternetUser

Scoring and results

This check generates scores on two levels:

  • Overall

  • Per account

Overall scoring

The following table shows how Client Security determines the overall score resulting from assessing password expiration settings for accounts on the scanned computer.

Score Number of accounts with Medium score Number of accounts with Informational score Number of accounts with Low score Computer is a domain controller Results message

Medium

At least 1

0 or more

0 or more

No

Number of user accounts with non-expiring passwords: number [of Medium score accounts]. Total number of user accounts: number.

Informational

0

At least 1, disabled but not exempt

0 or more

No

Number of disabled user accounts with non-expiring passwords: number [of Informational score accounts]. Total number of user accounts: number.

 

0

At least 1, on exempt list

0 or more

No

All accounts with no password expiration are on the exempt list.

 

Not applicable

Not applicable

Not applicable

Yes

This check is not supported on domain controllers.

Low

0

0

At least 1

No

Passwords expire for all accounts on this computer.

Per account scoring

The following table shows how Client Security determines the score resulting from assessing password expiration settings for a specific user account.

Score Password expires Account is disabled Account in exemption list Results message

Medium

No

No

No

The password for this account never expires: username.

Informational

No

Yes

No

The password for this account never expires: username. However, the account is disabled.

 

No

Yes or No

Yes

The password for this account never expires: username. However, the account is in the list of accounts exempt from the Password Expiration check.

Low

Yes

Not applicable

Not applicable

The password for this account expires: username.

Other Resources

Password Best practices