CommunityUniversityPartnersDevelopersSupportLogin
Platform
Solutions
Pricing
Resources
Platform View overview
Automation

AI-powered IT Automation for All Your Endpoints

Configuration

Hundreds of Worklets to Automate Anything

Patching

Automated Cross-OS & Hundreds of Titles

Vulnerability Remediation

Automated and Manual Vuln Sync and Remediation

Remote Control

Instantly Troubleshoot Windows and macOS

Reporting

Dashboard, PDF Exports and API Flexibility

Deployment

Automatically Deploy Hundreds of Software Titles

Cloud Architecture

Zero Hardware and Fast, Reliable Agent

Services & Support Plans
Security
Ratings & Reviews

Thousands of Customers Managing 1,000,000 Endpoints

INSTANT DEMOS

Deploy in Seconds

Remote Access

FixNow

Ask Otto AI Scripting

Software Deployment

Single Pane Dashboard

Automate with Worklets

Find & Fix Vulnerabilities

Worklets Catalog

Cross OS Patching

Cross OS Visibility

Desired State Config

Endpoint Organization

Secure Script Signing

OUTCOMES

Automated Cross-OS Updates

Everything Updated — Desktops, Laptops, Servers

Visibility & Reporting

Prove Everything in Your Environment is Up to Date

Automated Software Updates

One Source to Keep All Your Software Up to Date

Zero-Hardware IT Cloud

No VPN, No Servers, One Fast, Reliable Agent

Automated Configuration

Eliminate Drift and Keep Everything Up to Date

Cross-Platform Troubleshooting

Quickly Resolve Windows & macOS Tickets

INDUSTRIES

State & Local Government

K-12 Education

Colleges & Universities

Pharmaceuticals

Sports Organizations

MSPs

SaaS

TOPICS

IT Automation

Patching & Endpoint Automation

Vulnerability Remediation

IT Operations

Patch Tuesday

Automox Updates

View All

SOURCES

Events

Blog

Reports & Guides

Case Studies

Solution Briefs

News & Press

Videos

Podcasts

View All

FEATURED

UPCOMING

Home > Blog > Automox Worklet: Set Password...
Otto background

Automox Worklet: Set Password Policies

Connect With Us

We're obsessed with making your job easier. Start your free trial today and go from reactive to proactive endpoint management with one click.

To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these worklets to bolster your cyber hygiene and prevent or mitigate real-world threats.

Both the Center for Internet Security (CIS) security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework.

With this Automox Worklet, we’ve chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts. For additional information on this tactic and technique, refer to our blog on the topic.

Automox Worklet: Set Password Policies per CIS Recommendations

This Automox Worklet automatically applies the CIS recommendations for (1) Account Policies (1.1) Password Policy. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

Please Read - CIS Password Policies Recommendations

The following policies are broken down in the worklet remediation code below. Most of these settings are configurable by the security admin, but Automox has aligned the default settings in the code to match the CIS recommendations.

1.1 Password Policies

1.1.1 Ensure ‘Enforce password history’ is set to '24 or more password(s)’

1.1.2 Ensure ‘Maximum password age’ is set to '60 or fewer days, but not 0’

1.1.3 Ensure ‘Minimum password age’ is set to '1 or more day(s)’

1.1.4 Ensure ‘Minimum password length’ is set to '14 or more character(s)’

1.1.5 Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’

1.1.6 Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’

1.1.1 Ensure ‘Enforce password history’ is set to 24 or more password(s) [configurable]

This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords.

The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.

1.1.2 Ensure ‘Maximum password age’ is set to '60 or fewer days, but not 0 [configurable]

This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire.

Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current

The recommended state for this setting is 60 or fewer days, but not 0. Admin will need to specify their own configuration

1.1.3 Ensure ‘Minimum password age’ is set to '1 or more day(s)’  [configurable]

This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.

The recommended state for this setting is: 1 or more day(s).

1.1.4 Ensure ‘Minimum password length’ is set to ‘14 or more character(s)’  [configurable]

This policy setting determines the least number of characters that make up a password for a user account.

Pass phrases can be quite long and can include spaces. Therefore, a phrase such as “I want to drink a $5 milkshake” is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember.

The recommended state for this setting is: 14 or more character(s)

1.1.5 Ensure ‘Password must meet complexity requirements’ is set to 'Enabled

This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.

1.1.6 Ensure ‘Store passwords using reversible encryption’ is set to 'Disabled

This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user’s password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.

The recommended state for this setting is: Disabled.

To deploy this endpoint hardening Worklet, view the original posting on the Automox Alive community.

Tips for Creating an Automox Worklet

Before deploying an Automox Worklet to the production environment, we suggest testing this on a few devices to confirm its accuracy. If you have any questions, please contact our support team for technical assistance at support@automox.com.

For step-by-step instructions on creating the Worklet, see our user documentation: Create a Worklet.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic

loading...

Start your free trial.

Join over 1,090,611 endpoints managed with Automox.

start your free trial now

PRODUCT

OverviewFeaturesWorkletsPricingRoadmap

COMPANY

AboutLeadershipNewsCareersDiversity in ITContact

DOCS

DocsAPIFAQ

CUSTOMERS

SupportCommunityUniversityDevelopersPartners

SOCIAL

LEGALTerms of UsePrivacy PolicyMaster Services Agreement
CSA STAREU-US DPGDPRPCI DSSSOCTX-RAMP
Copyright © 2024 Automox. AUTOMOX is a registered trademark in the US and other countries.
TX-RAMPSOCPCI DSSGDPREU-US DPCSA STAR