UCF STIG Viewer Logo

Accounts must require passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7002 WN12-GE-000015 SV-52940r1_rule High
Description
The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.
STIG Date
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide 2016-12-19

Details

Check Text ( C-47246r2_chk )
Verify all accounts require passwords.

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PswdRequired
AcctDisabled
Groups

If any accounts have "No" in the "PswdRequired" column, this is a finding.

Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) may not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: "Net user /passwordreq:yes".
Fix Text (F-45866r2_fix)
Ensure all accounts are configured to require passwords to gain access.

The password required flag can be set by entering the following on a command line: "Net user /passwordreq:yes".