DoD information system access will require the use of a password.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-7002 | 4.017 | SV-32270r1_rule | IAIA-1 IAIA-2 | High |
| Description |
|---|
| The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources within the same administrative domain. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2013-10-01 |
Details
| Check Text ( C-38507r1_chk ) |
|---|
| Verify all accounts require passwords. The following accounts may be excluded from this requirement: Domain accounts requiring smart card (CAC). Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires LastLogonTime AcctDisabled Groups If any accounts, other than the exception noted, have a “No” in the “PswdRequired” column, then this is a finding. Note: Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) will not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: “Net user Severity Override: For a DISABLED account(s) with a blank or null password, classify/downgrade this finding to a Category II finding. |
| Fix Text (F-6581r1_fix) |
|---|
| Configure all DoD information systems to require passwords to gain access. The password required flag can be set by entering the following on a command line: “Net user |