Korean

<< Back VID 27021 Severity 20 Port 139 Protocol TCP Class SMB Detailed Description The user has a password that will never expire. Unless the user is used for a service account and has a very strong password, this setting will lower your security level, as an attacker has an unlimited amount of time to guess the password, and an unlimited amount of time to use the password once it is guessed. * References: http://cgi.nessus.org/plugins/dump.php3?id=10900 * Platforms Affected: Microsoft Windows Any version Recommendation Remove the Password Never Expires option by following the steps below, appropriate for your platform. In Windows NT: 1. Open User Manager. (From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.) 2. Select the user from the list. 3. From the User menu, select Properties to display the User Properties dialog box. 4. Clear the Password Never Expires check box. 5. Click OK. For a Windows 2000 domain: 1. Start Active Directory Users and Computers Management Console (dsa.msc). 2. Look for the user of interest in the domain, the default folders to look for is Users. 3. Open the Properties page for the user of interest. 4. Select the Account Tab. 5. Ensure the "Password never expires" option under Account Options is unchecked. For stand-alone Windows 2000 machines: 1. On the computer of interest, start Local Users and Groups Management Console (lusrmgr.msc). 2. Open the User folder. 3. Select the User of interest. 4. Open the Properties page for the user. 5. Select the General Tab. 6. Ensure the "Password never expires" option is unchecked. For Windows XP, 2003, VISTA, 7, 2008, 8, 2012, 10, 2016, 2019: 1. Start menu, select Run and then execute lusrmgr.msc 2. Open [Local Users and Groups] -> [Users] folder and select the User. 3. Select the 'Properties' menu for the user. 4. Select the 'General' Tab. 5. Ensure the "Password never expires" option is unchecked. Related URL (CVE) Related URL (SecurityFocus) Related URL (ISS)