STIGQter STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.

DISA Rule

SV-226033r569184_rule

Vulnerability Number

V-226033

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WN12-00-000007

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization. More frequent changes are recommended.

Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.

Check Contents

Review the password last set date for the built-in Administrator account.

Domain controllers:

Open "Windows PowerShell".

Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet".

If the "PasswordLastSet" date is greater than one year old, this is a finding.

Member servers and standalone systems:

Open "Windows PowerShell" or "Command Prompt".

Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.

(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)

If the "PasswordLastSet" date is greater than one year old, this is a finding.

Vulnerability Number

V-226033

Documentable

False

Rule Version

WN12-00-000007

Severity Override Guidance

Review the password last set date for the built-in Administrator account.

Domain controllers:

Open "Windows PowerShell".

Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet".

If the "PasswordLastSet" date is greater than one year old, this is a finding.

Member servers and standalone systems:

Open "Windows PowerShell" or "Command Prompt".

Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.

(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)

If the "PasswordLastSet" date is greater than one year old, this is a finding.

Check Content Reference

M

Target Key

4217

Comments