Title

Local users exist on a workstation in a domain. (Cat III impact)

Discussion

To minimize potential points of attack, local users, other than built-in accounts such as Administrator and Guest accounts, should not exist on a workstation in a domain. Users should always log onto workstations in a domain with their domain accounts. This does not apply to laptop PCs which are designed to function both on the domain and off the domain.

Check Content

If local users other than the built-in accounts listed below exist on a workstation in a domain this is a finding. Built-in Administrator (renamed) Built-in Guest (renamed) HelpAssistant (XP only) Support_388945a0 (XP only) The Gold Disk will return a list of local accounts for review to determine applicability. Note: This does not apply to laptops that are designed to function both as part of a domain and separate from it. Using the DUMPSEC utility: Select “Dump Users as Table” from the “Report” menu. Select the available fields in the following sequence, and click on the “Add” button for each entry: UserName SID PswdRequired PswdExpires LastLogonTime AcctDisabled Groups Documentable Explanation: If a site has need of special purpose local user accounts, then this should be documented with the IAO.

Fix Text

Configure the system to restrict the existence of local user accounts.

Additional Identifiers

Rule ID: SV-29511r1_rule

Vulnerability ID: V-1148

Group Title: Local Users Exist on a Workstation

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.