UCF STIG Viewer Logo

Passwords for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14225 WN12-00-000007 SV-52942r1_rule ECPA-1 Medium
Description
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. Passwords for the built-in Administrator account must be changed at least annually or when any member of the administrative team leaves the organization.
STIG Date
Windows Server 2012 Member Server Security Technical Implementation Guide 2014-01-07

Details

Check Text ( C-47248r2_chk )
Determine if any system administrators have left the organization within the last year.

Run the DUMPSEC utility.
Select "Dump Users as Table" from the "Report" menu.
Select the following fields, and click "Add" for each entry:

UserName
SID
PwsdLastSetTime

If the built-in Administrator account has a date older than one year in the "PwsdLastSetTime" column, this is a finding.
If any system administrators has left the organization within the last year and the "PwsdLastSetTime" field reflects the built-in Administrator account password was not changed at that time, this is a finding.
Fix Text (F-45868r1_fix)
Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization.