SOC 1 - SSAE 16 Type II Audit - Active Directory Password Policies?

K

KapsZ28

2[H]4U
Joined
May 29, 2009
Messages
2,114
I received the following information about AD passwords for this audit.

Internal network domain (default domain) passwords must conform to the following requirements:

  • Enforce password history (can’t reuse a
  • password from prior 24 passwords)
  • Maximum password age (42 days)
  • Minimum password age of 1 day
  • Minimum password length of 7 characters
  • Complexity requirement enabled
  • Store passwords using reversible encryption.

Does anyone know if this is accurate? I was under the impression that storing passwords using reversible encryption is actually less secure and should only be used if you have a specific application that requires it.
 
Perhaps that was a typo? i.e. irreversible? Sounds more aggressive than HIPAA (max age 60 days/history 6X). I cannot readily find a dictum for SOC 1, is it really a security standard?
 
PliotronX said:
Perhaps that was a typo? i.e. irreversible? Sounds more aggressive than HIPAA (max age 60 days/history 6X). I cannot readily find a dictum for SOC 1, is it really a security standard?
Click to expand...

Funny, I was also comparing it to HIPAA because I thought it was a bit much. The document I have was provided by an independent auditor. So I don't really know if it is the standard or not.
 
KapsZ28 said:
Funny, I was also comparing it to HIPAA because I thought it was a bit much. The document I have was provided by an independent auditor. So I don't really know if it is the standard or not.
Click to expand...

I believe that is the default for a new 2012 domain policy. Except the reversible encryption is disabled. I just built out 2 2012r2 domains and that was the default policy.
 
You must log in or register to reply here.
Back
Top