PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Accounts: Passwords for the built-in Administrator account must be changed at least every 60 days

e228712c-a432-4f66-898d-f0698df9e862

The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.

Windows LAPS must be used to change the built-in Administrator account password.

Remediation

To fix this change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default.

More information is available at:
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status

STIG:
Server
2022: https://system32.eventsentry.com/stig/viewer/V-254239
2019: https://system32.eventsentry.com/stig/viewer/V-205657

Desktop
W11: https://system32.eventsentry.com/stig/viewer/V-253476
W10: https://system32.eventsentry.com/stig/viewer/V-220952

NIST 800-53: CM-6b.
DISA: CAT II
CCI: CCI-000366



Tags

stig-medium-server stig-medium-desktop desktop server compliance-server compliance-desktop security-desktop security-server nist800-53-desktop nist800-53-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.