Title

DOD information system access does not require the use of a password. (Cat I impact)

Discussion

The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources within the same administrative domain.

Check Content

Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires LastLogonTime AcctDisabled Groups If any accounts listed in the user report have a “No” in the “PswdRequired” column, then this is a finding. Note: Some built-in or application-generated accounts (e.g., Guest, IWAM_, IUSR, etc.) will not have this flag set, even though there are passwords present. It can be set by entering the following on a command line: “Net user <account_name> /passwordreq:yes”. Severity Override: For a DISABLED account(s) with a blank or null password, classify/downgrade this finding to a Category 2 finding.

Fix Text

Configure all DoD information systems to require passwords to gain access. The password required flag can be set by entering the following on a command line: “Net user <account_name> /passwordreq:yes”.

Additional Identifiers

Rule ID: SV-29546r1_rule

Vulnerability ID: V-7002

Group Title: Password Requirement

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.