Controls/EDCA-IAC-019.json
|
{
"id": "EDCA-IAC-019", "title": "Mobile device mailbox policy requires password expiration of 365 days or less", "description": "The PasswordExpiration property on the default mobile device mailbox policy MUST be 365 days or less. Periodic password expiration limits the window of opportunity for an attacker using a compromised credential. The CIS benchmark requires password expiration to be set to 365 days or fewer.", "verify": true, "subject": "Organization", "category": "Identity and Access Control", "severity": "Low", "severityWeight": 3, "frameworks": [ "Best Practice", "CIS" ], "references": [ { "name": "CIS 3.6 (L1): Ensure Password expiration is set to 365 or less", "url": "https://www.cisecurity.org/benchmark/microsoft_exchange_server" }, { "name": "Mobile device mailbox policies in Exchange Server", "url": "https://learn.microsoft.com/exchange/clients/exchange-activesync/mobile-device-mailbox-policies" } ], "remediation": { "automatable": true, "description": "Set password expiration to 365 days or fewer in the default mobile device mailbox policy.", "scriptTemplate": "# Set password expiration to 365 days in the default mobile device mailbox policy.\nSet-MobileDeviceMailboxPolicy -Identity Default -PasswordExpiration 365" }, "considerations": "Frequent password expiration can cause user friction and may lead to weaker passwords being chosen. Consider balancing expiration frequency with other compensating controls.", "roles": [ "Mailbox" ] } |