STIGQter STIGQter: STIG Summary: Windows 10 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Only accounts responsible for the administration of a system must have Administrator rights on the system.

DISA Rule

SV-220712r569187_rule

Vulnerability Number

V-220712

Group Title

SRG-OS-000324-GPOS-00125

Rule Version

WN10-00-000070

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group.

For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group.

Remove any standard user accounts.

Check Contents

Run "Computer Management".
Navigate to System Tools >> Local Users and Groups >> Groups.
Review the members of the Administrators group.
Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group.

For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group.

Standard user accounts must not be members of the local administrator group.

If prohibited accounts are members of the local administrators group, this is a finding.

The built-in Administrator account or other required administrative accounts would not be a finding.

Vulnerability Number

V-220712

Documentable

False

Rule Version

WN10-00-000070

Severity Override Guidance

Run "Computer Management".
Navigate to System Tools >> Local Users and Groups >> Groups.
Review the members of the Administrators group.
Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group.

For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group.

Standard user accounts must not be members of the local administrator group.

If prohibited accounts are members of the local administrators group, this is a finding.

The built-in Administrator account or other required administrative accounts would not be a finding.

Check Content Reference

M

Target Key

4072

Comments