Outdated or unused accounts will be removed from the system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1112	4.019	SV-32250r1_rule	IAAC-1	Low

Description
Outdated or unused accounts, provide penetration points that may go undetected.

STIG	Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide	2013-10-01

Details

Check Text ( C-32879r1_chk )
Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires PswdLastSetTime LastLogonTime AcctDisabled Groups If any enabled accounts have not been logged into within the past 35 days, then this is a finding. This can be ascertained by examining the time in the “LastLogonTime” column. The following accounts are exempt from this check: The built-in administrator account The built-in guest account Application accounts The “IUSR”-guest account (used with IIS or Peer Web Services) Accounts that are less than 35 days old Disabled accounts The reviewer should review the list with the SA to determine the finding validity for each account reported. The following command can be used on Windows 2003/2008 Active Directory if DumpSec cannot be run: Open a Command Prompt. Enter “Dsquery user -limit 0 -inactive 5 -o rdn”. (This command will only work if the domain is at least at a Windows Server 2003 functional level, not Windows 2000 Native.) A list of user accounts that have been inactive for 5 weeks will be displayed. Disabled Accounts can be determined by using the following: Enter “Dsquery user -limit 0 -disabled -o rdn”. Documentable Explanation: Dormant accounts that have been reviewed and deemed to be required should be documented with the IAO.

Check Text ( C-32879r1_chk )

Using the DUMPSEC utility:

Select “Dump Users as Table” from the “Report” menu.
Select the available fields in the following sequence, and click on the “Add” button for each entry:
UserName
SID
PswdRequired
PswdExpires
PswdLastSetTime
LastLogonTime
AcctDisabled
Groups

If any enabled accounts have not been logged into within the past 35 days, then this is a finding. This can be ascertained by examining the time in the “LastLogonTime” column. The following accounts are exempt from this check:

The built-in administrator account
The built-in guest account
Application accounts
The “IUSR”-guest account (used with IIS or Peer Web Services)
Accounts that are less than 35 days old
Disabled accounts

The reviewer should review the list with the SA to determine the finding validity for each account reported.

The following command can be used on Windows 2003/2008 Active Directory if DumpSec cannot be run:

Open a Command Prompt.
Enter “Dsquery user -limit 0 -inactive 5 -o rdn”. (This command will only work if the domain is at least at a Windows Server 2003 functional level, not Windows 2000 Native.)
A list of user accounts that have been inactive for 5 weeks will be displayed.

Disabled Accounts can be determined by using the following:
Enter “Dsquery user -limit 0 -disabled -o rdn”.

Documentable Explanation: Dormant accounts that have been reviewed and deemed to be required should be documented with the IAO.

Fix Text (F-5758r1_fix)
Regularly review accounts to determine if they are still active. Accounts that have not been used in the last 35 days should either be removed or disabled.