UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Local users exist on a workstation in a domain.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1148 4.024 SV-29512r1_rule IAAC-1 Low
Description
To minimize potential points of attack, local users, other than built-in accounts such as Administrator and Guest accounts, should not exist on a workstation in a domain. Users should always log onto workstations in a domain domain with their domain accounts. This does not apply to laptop PCs which are designed to function both on the domain and off the domain.
STIG Date
Windows Vista Security Technical Implementation Guide 2013-10-01

Details

Check Text ( C-416r1_chk )
If local users other than the built-in accounts listed below exist on a workstation in a domain this is a finding.

Built-in Administrator (renamed)
Built-in Guest (renamed)
HelpAssistant (XP only)
Support_388945a0 (XP only)

The Gold Disk will return a list of local accounts for review to determine applicability.

Note: This does not apply to laptops that are designed to function both as part of a domain and separate from it.

Using the DUMPSEC utility:

Select “Dump Users as Table” from the “Report” menu.
Select the available fields in the following sequence, and click on the “Add” button for each entry:
UserName
SID
PswdRequired
PswdExpires
LastLogonTime
AcctDisabled
Groups

Documentable Explanation: If a site has need of special purpose local user accounts, then this should be documented with the IAO.

Fix Text (F-5764r1_fix)
Configure the system to restrict the existence of local user accounts.