Forum Discussion

Jan11185's avatar
Jan11185
Copper Contributor
Oct 21, 2024

Vulnerability Management - Baselines assessment

We are currently evaluating Vulnerability Management to report on our CIS 2.0 compliance.

 

In a Domain Controller profile the Password Policy checks appear to be incorrect.

 

For example: 1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'

says "Not compliant", although we have it enabled in the "Default Domain Policy", which is the one controlling domain users password policy.

 

What policy does it check?

It is as if it checks the RSOP that affects the DCs. But DCs do not have local users. 🤔

    • Jan11185's avatar
      Jan11185
      Copper Contributor
      Yes I do, but they have all checked "Password must meet complexity requirements".

      Additionally we have "Entra Password Protection" installed. I wonder if that confuses it.
      If it does not know the solution, and just sees there is a Passfilt.dll installed... 🤷‍:male_sign:
      Anyways, it is just an additional complexity requirement, so ought to be even better than default Windows complexity.
      • micheleariis's avatar
        micheleariis
        Steel Contributor

        Jan11185 Hi, I also have Entra Password Protection enabled and it hasn't given me any problems; if you run the command below on the domain controller what does it return?

         

        Get-ADDefaultDomainPasswordPolicy

Resources