SV-225243r569185_rule
V-225243
SRG-OS-000480-GPOS-00227
WN12-00-000007
CAT II
10
Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization. More frequent changes are recommended.
Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.
Review the password last set date for the built-in Administrator account.
Domain controllers:
Open "Windows PowerShell".
Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet".
If the "PasswordLastSet" date is greater than one year old, this is a finding.
Member servers and standalone systems:
Open "Windows PowerShell" or "Command Prompt".
Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.
(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)
If the "PasswordLastSet" date is greater than one year old, this is a finding.
V-225243
False
WN12-00-000007
Review the password last set date for the built-in Administrator account.
Domain controllers:
Open "Windows PowerShell".
Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet".
If the "PasswordLastSet" date is greater than one year old, this is a finding.
Member servers and standalone systems:
Open "Windows PowerShell" or "Command Prompt".
Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.
(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)
If the "PasswordLastSet" date is greater than one year old, this is a finding.
M
4214