UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Local administrator accounts on domain systems must not share the same password.


Overview

Finding ID Version Rule ID IA Controls Severity
V-36438 AD.0008 SV-47844r3_rule ECSC-1 Medium
Description
Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharing the same password for local administrator accounts on domain systems will allow an attacker to move laterally and compromise multiple domain systems.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2016-02-19

Details

Check Text ( C-66437r2_chk )
Verify local administrator accounts on domain systems are using unique passwords. If local administrator accounts on domain systems are sharing a password, this is a finding.

Microsoft's Local Administrator Password Solution (LAPS) provides an automated solution for maintaining and regularly changing the local administrator password for domain-joined systems.

Other automated solutions that provide this capability may also be used.

If LAPS has been installed and enabled in the domain, the following PowerShell query will return a list of systems that do not have a local administrator password managed by LAPS. (The LAPS PowerShell module requires PowerShell 2.0 or higher and .NET Framework 4.0.)

Start PowerShell.
If the LAPS PowerShell module has not been previously imported, execute the following first: "Import-Module AdmPwd.ps".
Execute "Get-PwdAdmPassword -ComputerName * | Where-object {$_.password -eq $null}"

If any systems are listed, this is a finding.

Ignore computers with "OU=Domain Controllers" in the DistinguishedName field.
Fix Text (F-71825r1_fix)
Set unique passwords for all local administrator accounts on domain systems.

Microsoft's Local Administrator Password Solution (LAPS) provides an automated solution for maintaining and regularly changing the local administrator password for domain-joined systems.

Other automated solutions that provide this capability may also be used.

See Microsoft Security Advisory 3062591 for additional information and download of LAPS.
https://technet.microsoft.com/en-us/library/security/3062591.aspx