Accounts: Must require passwords

00279417-0255-4ff4-8b5c-dbb7866085e2

The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.

Remediation

Configure all enabled accounts to require passwords.

The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.

Stig: Server 2019: https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93439
Server 2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2021-09-29/finding/V-224838

NIST 800-171 Rev2: 3.5.1, 3.5.2
NIST 800-171A: 3.5.1[a]. 3.5.1[b], 3.5.1[c]
CMMC V2.0 v1.02 Mapping: IA.1.076 IA.1.077
CMMC V2.0 Level 1 / 2 / 3: IA.L1-3.5.1, IA.L1-3.5.2
CMMC v1: IA.1.077
AICPA TSC 2017: CC6.1
CIS CSC v8: 5.5, 5.6, 6.7, 12.5
COBIT: DSS05.04
CSA CMM v4: IAM-13 IAM-16
IEC 62443-4-2: CR 1.1 (5.3.1) CR 1.1 (5.3.3(1))
ISO 27002: 5.15
ISO 27018: A.10.10
MPA Content Security Program: DS-10.0 DS-8.0
NIST Privacy Framework v1.0: PR.AC-P1 PR.AC-P6
NIST 800-53: IA-2
NIST 800-82: IA-2
NIST 800-161: IA-2
NIST CSF v1.1: PRAC-6
PCIDSS v3.2: 8.1.1, 8.2
PCIDSS v4.0: 7.1, 7.2, 7.2.1, 7.3, 7.3.1, 7.3.2, 7.3.3, 8.1, 8.2, 8.3, 8.3.3, 8.3.9
Shared Assessments SIG 2022: H.3
Tisax ISA v5.1.0: 4.1.1
US CERT RMM v1.2: AM:SG1.SP1, ID:SG1.SP1, ID:SG1.SP2, ID:SG1.SP3, TM:SG4.SP4
US FAR 52.204-21: 52.204-21(b)(1)(i), 52.204-21(b)(1)(v), 52.204-21(b)(1)(vi)
US HIPAA: 164.312(a)(2)(i)
US IRS 1075: 9.3.7.2