Title

The use of local accounts with blank passwords is not restricted to console logons only. (Cat I impact)

Discussion

This is a Category 1 finding because no accounts with blank passwords should exist on a system. The password policy should prevent this from occurring. However, if a local account with a blank password does exist, enabling this setting will limit the account to local console logon only.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Accounts: Limit local account use of blank passwords to console logon only” is not set to ” Enabled”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa Value Name: LimitBlankPasswordUse Value Type: REG_DWORD Value: 1

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Accounts: Limit local account use of blank passwords to console logon only” to “Enabled”.

Additional Identifiers

Rule ID: SV-3344r1_rule

Vulnerability ID: V-3344

Group Title: Limit Blank Passwords

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.