Passwords for enabled local Administrator accounts must be changed at least every 60 days.

STIG ID: WN11-SO-000280  |  SRG: SRG-OS-000076-GPOS-00044 |  Severity: medium (CAT II)  |  CCI: CCI-004066,CCI-000199 |  Vulnerability Id: V-253476

Vulnerability Discussion

The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit their exposure.

Windows LAPS must be used to change the built-in Administrator account password. Operational limitations preventing the use of Windows Local Administrator Password Solution (LAPS) must be approved by the authorizing official (AO).

Check

If there are no enabled local Administrator accounts, this is Not Applicable.

Use of an enabled built-in account without management by LAPS must be documented and supplied to the information system security manager (ISSM)/information system security officer (ISSO) for their risk acceptance.

An alternative process to LAPS is acceptable if it is documented and produces evidence that passwords for Administrator accounts are changed at least every 60 days.

Review the password last set date for the enabled local Administrator account.

On the standalone or domain-joined workstation:

Open "PowerShell".

Enter "Get-LocalUser -Name * | Select-Object *".

If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding.

Verify LAPS is configured and operational.

Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding.

Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding.

Fix

Change the enabled local Administrator account password at least every 60 days.

Windows LAPS must be used to change the built-in Administrator account password. Domain-joined and nondomain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default.

Operational limitations preventing the use of LAPS must be approved by the AO.

More information is available at:
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status