A non-administrator account has administrator rights on the system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1127	4.027	SV-29505r1_rule	ECPA-1	Medium

Description
An account who does not have administrator duties should not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack from both internal and external sources.

STIG	Date
Windows 2008 Member Server Security Technical Implementation Guide	2012-07-02

Details

Check Text ( C-426r1_chk )
If an account, without administrator duties, is a member of the Administrators group, then this is a finding. Note: The Gold Disk will return a list of all accounts in Administrator groups for review to determine applicability. Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires LastLogonTime AcctDisabled Groups Documentable Explanation: Approved exceptions to this requirement should be documented with the IAO.

Check Text ( C-426r1_chk )

If an account, without administrator duties, is a member of the Administrators group, then this is a finding.

Note: The Gold Disk will return a list of all accounts in Administrator groups for review to determine applicability.

Using the DUMPSEC utility:

Select “Dump Users as Table” from the “Report” menu.
Select the available fields in the following sequence, and click on the “Add” button for each entry:
UserName
SID
PswdRequired
PswdExpires
LastLogonTime
AcctDisabled
Groups

Documentable Explanation: Approved exceptions to this requirement should be documented with the IAO.

Fix Text (F-5773r1_fix)
Configure the system to prevent non-administrators from having administrator rights.