SV-205657r569188_rule
V-205657
SRG-OS-000076-GPOS-00044
WN19-00-000020
CAT II
10
Change the built-in Administrator account password at least every "60" days.
Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.
Review the password last set date for the built-in Administrator account.
Domain controllers:
Open "PowerShell".
Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet".
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
Member servers and standalone systems:
Open "Command Prompt".
Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.
(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
V-205657
False
WN19-00-000020
Review the password last set date for the built-in Administrator account.
Domain controllers:
Open "PowerShell".
Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet".
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
Member servers and standalone systems:
Open "Command Prompt".
Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.
(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
M
2907