Check: WN11-00-000085
Microsoft Windows 11 STIG:
WN11-00-000085
(in versions v1 r6 through v1 r3)
Title
Standard local user accounts must not exist on a system in a domain. (Cat III impact)
Discussion
To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log on to workstations in a domain with their domain accounts.
Check Content
Run "Computer Management". Navigate to System Tools >> Local Users and Groups >> Users. If local users other than the accounts listed below exist on a workstation in a domain, this is a finding. For standalone or nondomain-joined systems, this is Not Applicable. Built-in Administrator account (Disabled) Built-in Guest account (Disabled) Built-in DefaultAccount (Disabled) Built-in defaultuser0 (Disabled) Built-in WDAGUtilityAccount (Disabled) Local administrator account(s) All of the built-in accounts may not exist on a system, depending on the Windows 11 version.
Fix Text
Limit local user accounts on domain-joined systems. Remove any unauthorized local accounts.
Additional Identifiers
Rule ID: SV-253272r890449_rule
Vulnerability ID: V-253272
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |