Title

Restricted accounts are not disabled. (Cat II impact)

Discussion

Several new accounts are created as part of the default installation. As these accounts are well known they may represent prime attack targets. To help prevent attacks using the well-known accounts the following accounts should be disabled: HelpAssistant and Support_388945a0.

Check Content

Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires LastLogonTime AcctDisabled Groups If the HelpAssistant or Support_388945a0 accounts have not been disabled, then this is a finding.

Fix Text

Configure the system to disable restricted accounts such as HelpAssistant or Support_388945a0.

Additional Identifiers

Rule ID: SV-3369r1_rule

Vulnerability ID: V-3369

Group Title: Restricted Accounts are not Disabled

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.