Level 2
Description:
Password lifetime restrictions do not apply to temporary passwords
Priority: High
Domain: IDENTIFICATION AND AUTHENTICATION (IA)
Services Associated with AWS:
- AWS Identity and Access Management (IAM)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Active Directory B2C
- Azure Active Directory Domain Services
- Azure AD Privileged Identity Management
- Azure Multi-Factor Authentication
- Azure Conditional Access
- Azure Information Protection
- Azure Identity Protection
- Azure Key Vault
- Azure Security Center
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
Possible Technology Considerations:
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
What needs to be answered:
Can passwords be re-used after a certain number of days or a defined number of password changes? Is password reuse prohibited for a defined number of generations? Are passwords unique to the organization’s systems and not re-used on external information systems?
Checks for AWS
- Prohibit Password Reuse
Description: This check ensures that organizations prohibit the reuse of passwords for a specified number of generations. Password reuse refers to the practice of using the same password again after it has been previously used. Prohibiting password reuse helps enhance password security by preventing users from using the same password repeatedly, which reduces the risk of compromised credentials. Organizations should define a policy that specifies the number of generations (i.e., the number of times a password can be reused) before a new password must be set. This policy should be enforced for both individual and group accounts.
Checks for Azure
- Enforce Password Expiration
Description: This check ensures that organizations enforce password expiration policies for user accounts in Azure. Password expiration policies require users to change their passwords after a specified period of time. By enforcing password expiration, organizations can mitigate the risk of unauthorized access due to the prolonged use of the same password and encourage regular password updates for enhanced security. - Prohibit Password Reuse
Description: This check verifies that organizations prohibit the reuse of passwords for user accounts in Azure. Prohibiting password reuse prevents users from reusing previously used passwords, reducing the risk of compromised credentials. Organizations should define a policy that specifies the number of password changes or generations before a password can be reused.
More Details: Password reusage prohibited for at least six prior passwords.