Enforce password expiration policy for user accounts.
389-AC-002 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-002 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1), IA-5(1)(d) |
| DISA SRG | SRG-APP-000174 |
Rationale¶
Password expiration limits the window of opportunity when a credential is compromised without the account owner's knowledge - a stolen password that is never rotated remains valid indefinitely, enabling persistent unauthorized access or lateral movement. This control activates the expiration engine itself (passwordExp: on); without this flag the passwordMaxAge attribute is present in the policy but has no operational effect, meaning long-lived credentials go unchecked regardless of the configured age value. DISA SRG-APP-000174 requires periodic credential rotation for covered systems; 90 days (7776000 seconds) is the common compliance baseline and can be tightened to 60 days (5184000 seconds) for stricter frameworks. See 389-AC-007, which governs the maximum-age value as a separately auditable control, and must be applied in conjunction with this one.
Check¶
Verify that password expiration is enabled and the maximum age is set to 90 days (7776000 seconds) or less.
dsconf <instance> pwpolicy get | grep -i -E "passwordexp|passwordmaxage"
Expected: passwordExp: on / passwordMaxAge: 7776000
Remediation¶
Enable password expiration and set the maximum password age to 90 days.
dsconf <instance> pwpolicy set --pwdexpire=on --pwdmaxage=7776000
References¶
Implementation Notes¶
Both flags must be set together: --pwdexpire=on activates the expiration engine and --pwdmaxage sets the ceiling in seconds (7776000 = 90 days; adjust to 5184000 for 60 days if your compliance framework requires it). 389-AC-007 documents the max-age value separately for audit traceability - the two controls overlap and should be applied consistently. To warn users before expiry, also configure passwordWarning (the advance-warning period in seconds) via dsconf <instance> pwpolicy set --pwdwarning=<seconds>. Service accounts that cannot tolerate forced expiration should be moved to a subtree policy with expiration disabled rather than disabling the global policy.