STIGQter: STIG Summary: Microsoft Windows Server 2016 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021: STIGQter: STIG Summary: Microsoft Windows Server 2016 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:SV-224820r569186_rule
V-224820
SRG-OS-000076-GPOS-00044
WN16-00-000030
CAT II
10
Change the built-in Administrator account password at least every "60" days.
Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.
Review the password last set date for the built-in Administrator account.
Domain controllers:
Open "PowerShell".
Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet".
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
Member servers and standalone systems:
Open "Command Prompt".
Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.
(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
V-224820
False
WN16-00-000030
Review the password last set date for the built-in Administrator account.
Domain controllers:
Open "PowerShell".
Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet".
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
Member servers and standalone systems:
Open "Command Prompt".
Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.
(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)
If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
M
4205