Passwords: Enforce history

d0163b5f-23ab-4377-bc49-709e891a6b2b

The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. In addition, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented - or if users continually reuse a small number of passwords - the effectiveness of a good password policy is greatly reduced.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-password-history

Remediation

Best practices and compliance require a password history set to 24, meaning that the last 24 passwords are remembered.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-password-history
Fix: Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.

Stig Server: 2016 - https://www.stigviewer.com/stig/windows_server_2016/2019-01-
16/finding/V-73315
2019 - https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93479
Stig Desktop: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63415



stig-medium-server
stig-medium-desktop
compliance-desktop
compliance-server
nist800-171
cmmc-l1