UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DoD information system access will require the use of a password.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7002 4.017 SV-29549r1_rule IAIA-1 IAIA-2 High
Description
The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources within the same administrative domain.
STIG Date
Windows 2008 Member Server Security Technical Implementation Guide 2015-09-02

Details

Check Text ( C-38507r1_chk )
Verify all accounts require passwords. The following accounts may be excluded from this requirement:
Domain accounts requiring smart card (CAC).

Using the DUMPSEC utility:

Select “Dump Users as Table” from the “Report” menu.
Select the available fields in the following sequence, and click on the “Add” button for each entry:
UserName
SID
PswdRequired
PswdExpires
LastLogonTime
AcctDisabled
Groups

If any accounts, other than the exception noted, have a “No” in the “PswdRequired” column, then this is a finding.

Note: Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) will not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: “Net user /passwordreq:yes”.

Severity Override: For a DISABLED account(s) with a blank or null password, classify/downgrade this finding to a Category II finding.
Fix Text (F-6581r1_fix)
Configure all DoD information systems to require passwords to gain access.

The password required flag can be set by entering the following on a command line: “Net user /passwordreq:yes”.