Title

Outdated or unused accounts must be removed from the system or disabled. (Cat III impact)

Discussion

Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.

Check Content

Open a "Command Prompt" with elevated privileges. (Run as administrator) Domain Controllers: Enter "Dsquery user -limit 0 -inactive 5 -o rdn". A list of user accounts that have been inactive for 5 weeks will be displayed. Disabled Accounts can be determined by using the following: Enter "Dsquery user -limit 0 -disabled -o rdn". Exclude the following accounts: Built-in administrator account Built-in guest account Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. Member servers and standalone systems: Verify the "Last logon" for each enabled local account on the system. Enter "Net User" to view a list of accounts. For each account enter "Net User [account name]", where [account name] is the name of the account to be reviewed. Exclude the following accounts: Built-in administrator account Built-in guest account Application accounts If "Account active" is "Yes" and the "Last logon" date is more than 35 days old for any accounts, this is a finding. Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. Note: Other queries or tools may be used. The organization must be able to demonstrate the results are valid and meet the intent of the requirement.

Fix Text

Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.

Additional Identifiers

Rule ID: SV-29482r3_rule

Vulnerability ID: V-1112

Group Title: Dormant Accounts

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.