Microsoft Windows Server 2022 STIG Version Comparison
Microsoft Windows Server 2022 Security Technical Implementation Guide
There are 5 differences between versions v1 r2 (May 11, 2023) (the "left" version) and v1 r4 (Nov. 9, 2023) (the "right" version).
Check WN22-00-000020 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days.
Review If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the built-in enabled local Administrator account. Domain account. On controllers: Open the local domain-joined workstation: Open "PowerShell". Enter "Get-ADUser -Filter "Get-LocalUser -Name * -Properties SID, PasswordLastSet | Select-Object *". If Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet". If the "PasswordLastSet" date is greater than "60" days old, old for the local Administrator account for administering the computer/domain, this is a finding. Member finding. Verify servers LAPS is configured and standalone or nondomain-joined systems: Open "Command Prompt". Enter 'Net User [account name] | Find /i operational. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> "Password Password Last Set"', where [account name] Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is the a finding. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> name Name of the built-in administrator account. (The name of the built-in Account to manage >> Set to enabled >> Administrator account name must be changed to something other than "Administrator" per STIG requirements.) If the "PasswordLastSet" date is greater than "60" days old, populated. If it is not, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. It is highly recommended exposure. Windows LAPS must be used to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the built-in Administrator account password password. every "30" days by default. The AO still has the overall authority to use another equivalent capability to accomplish the check.
Change the built-in enabled local Administrator account password at least every 60 days. Windows "60" days. It is highly recommended to use Microsoft's LAPS, LAPS must which may be used on domain-joined member servers to change accomplish this. The AO still has the overall authority built-in Administrator account password. Domain-joined systems can configure this to use another equivalent capability to accomplish occur more frequently. LAPS will change the check. password every 30 days by default. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status