Sprinto Dashboard

Password Policy & Session Timeout

Ensure password policy enforcement and idle session timeout settings across Windows, GWS, and Azure to pass Sprinto’s workflow checks and reduce access risk.

Password policies and session timeout configurations are foundational security controls that help prevent unauthorised access and minimise exposure from unattended systems. Sprinto monitors whether your systems enforce secure authentication behaviours, including password complexity, expiration, and idle session handling.

This article outlines the checks Sprinto performs, the platforms they apply to, and how to remediate failing monitors using configuration changes or evidence uploads.

What is Monitored

Sprinto tracks the following areas for password and session hygiene:

  1. Password Policy Enforcement

    • Minimum length (e.g., 8+ characters)

    • Complexity (uppercase, lowercase, symbols, numbers)

    • Rotation frequency and history

    • Reuse restrictions

  2. Auto Session Timeout

    • Idle session timeout for critical systems

    • Configured via system settings or authentication provider policies

  3. Account Lockout Mechanisms

    • Maximum invalid login attempts

    • Lockout duration and alerting

These checks may be automated (via platform integrations) or manual (requiring evidence uploads).

Supported Platforms

Platform
Password Policy Checks
Session Timeout Checks

Windows / Linux

Manual Evidence

Manual Evidence

Google Workspace

Integrated

Integrated

Office365 / Azure

Integrated

Integrated

Okta / IAM Tools

Integrated

Integrated

Sprinto

Workflow Checks

via Monitor Setup

How to Configure Password Policy

A. Windows Server / Local Group Policy

  1. Open Local Security Policy

  2. Navigate to Account Policies > Password Policy

  3. Configure:

    • Minimum length

    • Enforce password history

    • Maximum password age

    • Password complexity

Upload a screenshot of this window to resolve the monitor in Sprinto.

B. Google Workspace

  1. Go to Admin Console > Security > Password Management

  2. Set:

    • Minimum length (8+ recommended)

    • Require numbers, uppercase, lowercase

    • Prevent reuse of last X passwords

  3. Save changes

Sprinto syncs this configuration automatically via API.

C. Microsoft 365 / Azure AD

  1. Navigate to Azure AD > Security > Authentication Methods > Password Protection

  2. Enable:

    • Custom banned password list

    • Password complexity policies

    • Password change notifications

  3. Save and apply the policy

How to Configure Auto Session Timeout

A. Windows

  • Use Group Policy Editor:

    • Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

    • Set Interactive logon: Machine inactivity limit

    • Example: 15 minutes (900 seconds)

Upload a screenshot of the GPO or registry value to resolve the check.

B. Google Workspace

  1. Go to Admin Console > Security > Access and Data Control > Session Length

  2. Define idle timeout values for user sessions

  3. Apply to organisational units

C. Okta

  1. Go to Security > Authentication > Session

  2. Configure:

    • Session expiration (fixed or rolling)

    • Idle timeouts

  3. Click Save

Remediating in Sprinto

  • Automated checks (e.g., GWS, Okta) update on sync

  • Manual checks require:

    • Screenshot or policy export

    • Brief comment describing enforcement mechanism

  • Use Upload Evidence and click Mark as Resolved

Best Practices

  • Enforce 12-character minimum passwords for admin accounts

  • Apply stricter policies for privileged roles (e.g., system admins)

  • Set session timeouts of 10–15 minutes for unattended devices

  • Monitor policy drift using identity provider logs

PreviousWorkflow Check ResolutionNextFile Integrity & Firewall Configuration

Last updated