UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Passwords for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14225 WN12-00-000007 SV-52942r2_rule Medium
Description
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. Passwords for the built-in Administrator account must be changed at least annually or when any member of the administrative team leaves the organization.
STIG Date
Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide 2017-06-09

Details

Check Text ( C-47248r2_chk )
Determine if any system administrators have left the organization within the last year.

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PwsdLastSetTime

If the built-in Administrator account has a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators has left the organization within the last year and the "PwsdLastSetTime" field reflects the built-in Administrator account password was not changed at that time, this is a finding.
Fix Text (F-45868r1_fix)
Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization.