The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.
It is highly recommended to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. The authorizing official (AO) still has the overall authority to use another equivalent capability to accomplish the check.
Check
If there are no enabled local Administrator accounts, this is not applicable.
Review the password last set date for the enabled local Administrator account.
On the stand-alone or domain-joined server:
Open PowerShell.
Enter "Get-LocalUser | Where-Object {$_.SID -like "*500"} | ForEach-Object ($_.PasswordLastSet){"$($_.Name) password is: $([int]((Get-Date) - $_.PasswordLastSet).TotalDays) days old"}".
If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer, this is a finding.
Verify LAPS is configured and operational.
If the system is a stand-alone member server, the LAPS portion of this requirement is not applicable.
Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60.
If not configured as shown, this is a finding.
Navigate to LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational.
Verify LAPS policy process is completing. If it is not, this is a finding.
Fix
Change the built-in Administrator account password at least every 60 days.
It is highly recommended to use Microsoft's LAPS, which may be used on domain-joined member servers to accomplish this. The AO still has the overall authority to use another equivalent capability to accomplish the check.