DoD information system access must require the use of a password.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
WN08-GE-000018	WN08-GE-000018	WN08-GE-000018_rule		High

Description
The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources within the same administrative domain.

STIG	Date
Windows 8 Security Technical Implementation Guide	2012-11-21

Details

Check Text ( C-WN08-GE-000018_chk )
Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdRequired" column, this is a finding. Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user /passwordreq:yes".

Check Text ( C-WN08-GE-000018_chk )

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PswdExpires
AcctDisabled
Groups

If any accounts have "No" in the "PswdRequired" column, this is a finding.

Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user /passwordreq:yes".

Fix Text (F-WN08-GE-000018_fix)
Configure all DoD information systems to require passwords to gain access. The password required flag can be set by entering the following on a command line: "Net user /passwordreq:yes".