Password can be changed without logining in

syinfra
syinfra used Ask the Experts™
on
Hello,

In our VA Scan done through 3rd party, one of the observation came as Password can be changed without logining in. The solution provided was to set a registry entry to RequireLogonToChangePassword = 1. We are not able to find this entry & need help how to set it up.

Regards
Ashish
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
DWORD RequireLogonToChangePassword
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
You should maybe tell your "3rd party" to update their scans, like, every once in a decade or so. Time has moved on since Windows NT4, which is the last OS where this key actually applied.
2.2.1.1 Password Policies
https://msdn.microsoft.com/en-us/library/cc232772.aspx
Windows ignores the RequireLogonToChangepassword setting.
There used to be a Microsoft KB article 255776, "User Must Log On in Order to Change Password" Option No Longer Exists, but this was for Windows 2000, which is long out of support now, so the article has been removed. It said something about this policy still being documented, but that the setting had been removed in Windows 2000 and that the documentation was incorrect.
That policy wouldn't really make sense, since the user needs to have a network connection to the domain and his old password to change his password, which is similar enough to being logged on as to not make a difference in this case.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Scan outdated as per Microsoft documentation.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial