Accounts: Must have the built-in Windows password complexity policy enabled

be6a2756-21d7-452c-b0a1-e6032f14f422

Description
The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, upper- and lower-case letters, and special characters) and prevents the inclusion of user names or parts of user names. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Account Policies
|_ Password Policy
|_ "Password must meet complexity requirements" to "Enabled".

STIG: Server:
2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2023-09-11/finding/V-254292
2019: https://www.stigviewer.com/stig/microsoft_windows_server_2019/2023-09-11/finding/V-205652 / https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93459
2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2023-08-22/finding/V-224873 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73323

Desktop
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2023-09-29/finding/V-253304
W10: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2023-09-11/finding/V-254292 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220746

NIST 800-171 Rev2: 3.5.1, 3.5.2
NIST 800-171A: 3.5.1[a]. 3.5.1[b], 3.5.1[c]
CMMC V2.0 v1.02 Mapping: IA.1.076 IA.1.077
CMMC V2.0 Level 1 / 2 / 3: IA.L1-3.5.1, IA.L1-3.5.2
CMMC v1: IA.1.077
AICPA TSC 2017: CC6.1
CIS CSC v8: 5.5, 5.6, 6.7, 12.5
COBIT: DSS05.04
CSA CMM v4: IAM-13 IAM-16
IEC 62443-4-2: CR 1.1 (5.3.1) CR 1.1 (5.3.3(1))
ISO 27002: 5.15
ISO 27018: A.10.10
MPA Content Security Program: DS-10.0 DS-8.0
NIST Privacy Framework v1.0: PR.AC-P1 PR.AC-P6
NIST 800-53: IA-2
NIST 800-82: IA-2
NIST 800-161: IA-2
NIST CSF v1.1: PRAC-6
PCIDSS v3.2: 8.1.1, 8.2
PCIDSS v4.0: 7.1, 7.2, 7.2.1, 7.3, 7.3.1, 7.3.2, 7.3.3, 8.1, 8.2, 8.3, 8.3.3, 8.3.9
Shared Assessments SIG 2022: H.3
Tisax ISA v5.1.0: 4.1.1
US CERT RMM v1.2: AM:SG1.SP1, ID:SG1.SP1, ID:SG1.SP2, ID:SG1.SP3, TM:SG4.SP4
US FAR 52.204-21: 52.204-21(b)(1)(i), 52.204-21(b)(1)(v), 52.204-21(b)(1)(vi)
US HIPAA: 164.312(a)(2)(i)
US IRS 1075: 9.3.7.2