Microsoft Windows Server 2019

Windows Server 2019 accounts must require passwords

STIG ID: WN19-00-000200 | SRG: SRG-OS-000104-GPOS-00051 | Severity: Medium | CCI: CCI-000764 | Vulnerability ID: V-205700

Description

The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.

Check

Review the password required status for enabled user accounts.Open "PowerShell".Domain Controllers:Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled".Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs).If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding.Member servers and standalone or nondomain-joined systems:Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'.Exclude disabled accounts (e.g., DefaultAccount, Guest).If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.

Fix

Configure all enabled accounts to require passwords.The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.