UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Passwords for the built-in Administrator account must be changed at least every 60 days.


Overview

Finding ID Version Rule ID IA Controls Severity
V-73223 WN16-00-000030 SV-87875r2_rule Medium
Description
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.
STIG Date
Windows Server 2016 Security Technical Implementation Guide 2017-05-18

Details

Check Text ( C-73327r3_chk )
Review the password last set date for the built-in Administrator account.

Domain controllers:

Open "PowerShell".

Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet".

If the "PasswordLastSet" date is greater than "60" days old, this is a finding.

Member servers and standalone systems:

Open "Command Prompt".

Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account.

(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.)

If the "PasswordLastSet" date is greater than "60" days old, this is a finding.
Fix Text (F-79667r2_fix)
Change the built-in Administrator account password at least every "60" days.

Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.