Domain member: Maximum machine account password age
This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.
Counter Measure:
Configure the Domain member: Maximum machine account password age setting to 30 days.
Potential Impact:
None. This is the default configuration.
[max number of days]
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age
(2) REG: ###
(3) WMI: ###
oval:org.secpod.oval:def:36532
SCAP Repo OVAL Definition
2016-08-05