Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Outdated or unused accounts must be removed from the system or disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1112 | 4.019 | SV-32250r2_rule | IAAC-1 | Low |
| Description |
|---|
| Outdated or unused accounts provide penetration points that may go undetected. |
| STIG | Date |
|---|---|
| Windows Server 2008 R2 Member Server Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-60983r3_chk ) |
|---|
| Using the DUMPSEC utility: Select "Dump Users as Table" from the "Report" menu. Select the available fields in the following sequence, and click on the "Add" button for each entry: UserName SID LastLogonTime AcctDisabled Review the "LastLogonTime". If any enabled accounts have not been logged on to within the past 35 days, this is a finding. The following accounts are exempt from this check: The built-in administrator account (SID ending in 500) The built-in guest account (SID ending in 501) Application accounts The "IUSR"-guest account (used with IIS or Peer Web Services) Disabled accounts The following command can be used on Active Directory in place of DumpSec: Open a Command Prompt. Enter "Dsquery user -limit 0 -inactive 5 -o rdn". A list of user accounts that have been inactive for 5 weeks will be displayed. Disabled Accounts can be determined by using the following: Enter "Dsquery user -limit 0 -disabled -o rdn". Documentable Explanation: Dormant accounts that have been reviewed and deemed to be required should be documented with the ISSO. |
| Fix Text (F-65713r1_fix) |
|---|
| Regularly review accounts to determine if they are still active. Accounts that have not been used in the last 35 days must either be removed or disabled. |