Title

Local users must not exist on a system in a domain. (Cat III impact)

Discussion

To minimize potential points of attack, local users, other than built-in accounts such as Administrator and Guest accounts, must not exist on a workstation in a domain. Users must log onto workstations in a domain with their domain accounts.

Check Content

Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry: UserName SID AcctDisabled Groups If local users other than the built-in accounts listed below exist on a workstation in a domain, this is a finding: Built-in administrator account (SID ending in 500) Built-in guest account (SID ending in 501) If the organization has a need for special purpose local user accounts such as a backup administrator account (see V-14224), this must be documented with the ISSO. This would not be a finding.

Fix Text

Limit local user accounts on domain-joined systems. Remove any unauthorized local accounts.

Additional Identifiers

Rule ID: SV-29512r3_rule

Vulnerability ID: V-1148

Group Title: Local Users Exist on a Workstation

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.