| VID |
28021 |
| Severity |
30 |
| Port |
139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The allowable minimum password length at system password policy is not set. In general, passwords shorter than 6 characters are especially susceptible to a brute force attack.
Set the minimum password length so that it equals or exceeds 6.
* Platforms Affected :
Microsoft Windows Any version
* References:
http://www.iss.net/security_center/static/743.php |
| Recommendation |
To set the minimum password length:
In Windows NT:
1. Open User Manager. (From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.)
2. From the Policies menu, select Account to display the Account Policy dialog box.
3. Set the minimum password length to at least the number of characters specified by the current policy.
4. Click OK.
For a Windows 2000 domain:
1. Start Microsoft Management Console (MMC).
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path: Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, Minimum Password Length
6. Set the Minimum Password Length to desired value.
For stand-alone Windows 2000 machines:
1. On the computer of interest, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path: Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, Minimum Password Length
3. Set the Minimum Password Length to desired value.
For Windows XP, 2003, VISTA, 7, 2008, 8, 2012, 10, 2016, 2019:
1. Go to Start menu -> Run and Type 'gpedit.msc'
2. Traverse the following path: Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, Minimum Password Length
3. Set the Minimum Password Length to desired value. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
