Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-63359 | WN10-00-000065 | SV-77849r1_rule | Low |
Description |
---|
Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed. |
STIG | Date |
---|---|
Windows 10 Security Technical Implementation Guide | 2017-02-21 |
Check Text ( C-64097r1_chk ) |
---|
Run "PowerShell". Copy the lines below to the PowerShell window and enter. "([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { $user = ([ADSI]$_.Path) $lastLogin = $user.Properties.LastLogin.Value $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 if ($lastLogin -eq $null) { $lastLogin = 'Never' } Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). For example: User1 10/31/2015 5:49:56 AM True Review the list to determine the finding validity for each account reported. Exclude the following accounts: Built-in administrator account (Disabled, SID ending in 500) Built-in guest account (Disabled, SID ending in 501) Built-in DefaultAccount (Disabled, SID ending in 503) Local administrator account If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. |
Fix Text (F-69279r1_fix) |
---|
Regularly review local accounts and verify their necessity. Disable or delete any active accounts that have not been used in the last 35 days. |