I came across a strange issue that I wanted to bring up to see if others had noticed this.
To start off, we were working with controls 1071 and 1072 specifically but noticed there were others with this specific issue.
By default, Qualys uses the "greater than or equal to" statement for these controls. However, by default it seems that if these settings are not set on the host, the Windows hosts uses the setting of "314159265358979" as the default. Therefore, even though the host doesnt have the control set, it passes in the policy. For example:
We have a minimum password length of "8" so we set the control for 1071 to 8. The control checks for anything that is "greater than or equal to" the setting of 8. Because the value "314159265358979" (which MS uses as a default setting) is greater than 8, the control passes.
Now here is the issue, we dont want to punish people for going beyond the control (i.e. setting the minimum length to 10 or 12) and we really don't want to have to create custom controls for all the MS controls that we have found that have a similar issue.
Anyone found a workaround to this?