id: password-complexity-disabled

info:
  name: Password Complexity Requirements Disabled
  author: princechaddha
  severity: high
  description: Checks if password complexity requirements are disabled.
  impact: |
    Disabling password complexity can lead to the use of weak, easily guessable passwords, increasing the risk of unauthorized access.
  remediation: |
    Enable password complexity requirements to enforce the use of strong, hard-to-guess passwords.
  tags: windows,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LimitBlankPasswordUse').LimitBlankPasswordUse -eq 0) { "Password complexity is disabled" }

    matchers:
      - type: word
        words:
          - "Password complexity is disabled"
# digest: 490a004630440220440bdc1b013ac0c60358a624de84dab4b1350123922ac26a4f1bd773ea25605b02204383724a3fb14cb231d4235952e3c5fd3252b781cc38f122b061488e014239e9:922c64590222798bb761d5b6d8e72950