Outdated or unused accounts must be removed from the system or disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1112	4.019	SV-29482r3_rule		Low

Description
Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.

STIG	Date
Windows 2008 Member Server Security Technical Implementation Guide	2018-05-25

Details

Check Text ( C-79563r1_chk )
Open a "Command Prompt" with elevated privileges. (Run as administrator) Domain Controllers: Enter "Dsquery user -limit 0 -inactive 5 -o rdn". A list of user accounts that have been inactive for 5 weeks will be displayed. Disabled Accounts can be determined by using the following: Enter "Dsquery user -limit 0 -disabled -o rdn". Exclude the following accounts: Built-in administrator account Built-in guest account Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Member servers and standalone systems: Verify the "Last logon" for each enabled local account on the system. Enter "Net User" to view a list of accounts. For each account enter "Net User [account name]", where [account name] is the name of the account to be reviewed. Exclude the following accounts: Built-in administrator account Built-in guest account Application accounts If "Account active" is "Yes" and the "Last logon" date is more than 35 days old for any accounts, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. Note: Other queries or tools may be used. The organization must be able to demonstrate the results are valid and meet the intent of the requirement.

Check Text ( C-79563r1_chk )

Open a "Command Prompt" with elevated privileges. (Run as administrator)

Domain Controllers:

Enter "Dsquery user -limit 0 -inactive 5 -o rdn".
A list of user accounts that have been inactive for 5 weeks will be displayed.

Disabled Accounts can be determined by using the following:
Enter "Dsquery user -limit 0 -disabled -o rdn".

Exclude the following accounts:
Built-in administrator account
Built-in guest account
Application accounts

If any enabled accounts have not been logged on to within the past 35 days, this is a finding.

Member servers and standalone systems:

Verify the "Last logon" for each enabled local account on the system. Enter "Net User" to view a list of accounts.

For each account enter "Net User [account name]", where [account name] is the name of the account to be reviewed.

Exclude the following accounts:
Built-in administrator account
Built-in guest account
Application accounts

If "Account active" is "Yes" and the "Last logon" date is more than 35 days old for any accounts, this is a finding.

Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.

Note: Other queries or tools may be used. The organization must be able to demonstrate the results are valid and meet the intent of the requirement.

Fix Text (F-74863r1_fix)
Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.