Check: WN16-00-000220
Microsoft Windows Server 2016 STIG:
WN16-00-000220
(in versions v2 r9 through v2 r5)
Title
Windows Server 2016 accounts must require passwords. (Cat II impact)
Discussion
The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.
Check Content
Review the password required status for enabled user accounts. Open "PowerShell". Domain Controllers: Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. Member servers and standalone or nondomain-joined systems: Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. Exclude disabled accounts (e.g., DefaultAccount, Guest). If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.
Fix Text
Configure all enabled user accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.
Additional Identifiers
Rule ID: SV-224838r958482_rule
Vulnerability ID: V-224838
Group Title: SRG-OS-000104-GPOS-00051
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
Controls
Number | Title |
---|---|
IA-2 |
Identification and Authentication (organizational Users) |