STIGQter: STIG Summary: Windows 10 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Passwords for enabled local Administrator accounts must be changed at least every 60 days.

DISA Rule

SV-220952r569187_rule

Vulnerability Number

V-220952

Group Title

SRG-OS-000076-GPOS-00044

Rule Version

WN10-SO-000280

Severity

CAT II

CCI(s)

• CCI-000199 - The information system enforces maximum password lifetime restrictions.

Weight

10

Fix Recommendation

Change the enabled local Administrator account password at least every "60" days.

Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to meet this requirement.

Check Contents

Review the password last set date for the enabled local Administrator account.

On the local domain joined workstation:

Open "PowerShell".

Enter "Get-LocalUser –Name * | Select-Object *”

If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.

Vulnerability Number

V-220952

Documentable

False

Rule Version

WN10-SO-000280

Severity Override Guidance

Review the password last set date for the enabled local Administrator account.

On the local domain joined workstation:

Open "PowerShell".

Enter "Get-LocalUser –Name * | Select-Object *”

If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.

Check Content Reference

M

Target Key

4072

Comments