Microsoft Windows 11
Reversible password encryption must be disabled
STIG ID:
WN11-AC-000045
|
SRG:
SRG-OS-000073-GPOS-00041
|
Severity:
High
|
CCI:
CCI-004062,CCI-000196
|
Vulnerability ID:
V-253305
Description
Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.
Check
C-56758r828997_chk
Verify the effective setting in Local Group Policy Editor.Run "gpedit.msc".Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy.If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.
Fix
F-56708r828998_fix
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled".