Forum Discussion
Vulnerability Management - Baselines assessment
We are currently evaluating Vulnerability Management to report on our CIS 2.0 compliance.
In a Domain Controller profile the Password Policy checks appear to be incorrect.
For example: 1.1.5 - (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
says "Not compliant", although we have it enabled in the "Default Domain Policy", which is the one controlling domain users password policy.
What policy does it check?
It is as if it checks the RSOP that affects the DCs. But DCs do not have local users. 🤔
- micheleariisSteel Contributor
Jan11185Hi, do you happen to have the fine-grained password policy active on the domain?
- Jan11185Copper ContributorYes I do, but they have all checked "Password must meet complexity requirements".
Additionally we have "Entra Password Protection" installed. I wonder if that confuses it.
If it does not know the solution, and just sees there is a Passfilt.dll installed... 🤷:male_sign:
Anyways, it is just an additional complexity requirement, so ought to be even better than default Windows complexity.- micheleariisSteel Contributor
Jan11185 Hi, I also have Entra Password Protection enabled and it hasn't given me any problems; if you run the command below on the domain controller what does it return?
Get-ADDefaultDomainPasswordPolicy