CUI

USNS MONTFORD POINT - Findings

Back to Ship Export CSV Download POA&M

Showing 4 of 4 findings (filtered) View Documentation Status (90 tracked)

Vuln ID	Severity	Asset	STIG	Title	Status	Doc Status	Assigned To	Actions
V-220952	CAT II	MONT-WS-92040	Microsoft Windows 10 Security Technical ...	Passwords for enabled local Administrator accounts...		-
Check Text If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the standalone or domain-joined workstation: Open "PowerShell". Enter "Get-LocalUser -Name * \| Select-Object *". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding. Verify LAPS is configured and operational. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. Fix Text Change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: C5C559038CF7763753A9CF7C4030B47AAC8FE4CB ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: dod_admin SID: S-1-5-21-3703204072-2228436765-3422267048-1001 Enabled: True Password Last Set: 01/27/2022 19:47:48 (1364 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings \| Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_Win10_V3R4_20251023-142421.ckl Scan Date: 2026-01-14T12:57:26.690022 Technology Area: Windows Operating System
V-220952	CAT II	MONT-WS-92010	Microsoft Windows 10 Security Technical ...	Passwords for enabled local Administrator accounts...		-
Check Text If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the standalone or domain-joined workstation: Open "PowerShell". Enter "Get-LocalUser -Name * \| Select-Object *". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding. Verify LAPS is configured and operational. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. Fix Text Change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status Finding Details Evaluate-STIG 1.2507.5 (Scan-Windows10_Checks) found this to be OPEN on 10/23/2025 ResultHash: 8A0A1AAA89816304B9C0B250AA84277B68DB7534 ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: dod_admin SID: S-1-5-21-2586659569-2484290388-2027984285-1001 Enabled: True Password Last Set: 01/27/2022 19:47:48 (1364 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings \| Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_Win10_V3R4_20251023-141133.ckl Scan Date: 2026-01-14T12:57:28.689048 Technology Area: Windows Operating System
V-220952	CAT II	MONT-SW-89108	Microsoft Windows 10 Security Technical ...	Passwords for enabled local Administrator accounts...		-
Check Text If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the standalone or domain-joined workstation: Open "PowerShell". Enter "Get-LocalUser -Name * \| Select-Object *". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding. Verify LAPS is configured and operational. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. Fix Text Change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: AC0D171FAF15B3E83FED29B6E76237F554D99095 ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: AMPerl.IAAdmin SID: S-1-5-21-4163428051-2768110797-3591193048-1018 Enabled: True Password Last Set: 06/08/2023 23:58:46 (922 days ago) Account: dod_admin SID: S-1-5-21-4163428051-2768110797-3591193048-1001 Enabled: True Password Last Set: 01/27/2022 19:37:24 (1420 days ago) Account: jtbegarek.iaadmin SID: S-1-5-21-4163428051-2768110797-3591193048-1024 Enabled: True Password Last Set: 08/20/2025 14:40:01 (119 days ago) Account: Scan.Admin SID: S-1-5-21-4163428051-2768110797-3591193048-1016 Enabled: True Password Last Set: 03/05/2024 16:43:42 (652 days ago) Account: tljones.iaadmin SID: S-1-5-21-4163428051-2768110797-3591193048-1023 Enabled: True Password Last Set: 04/17/2025 19:19:53 (244 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings \| Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Source: MONT-SW-89108_Win10_V3R5_20251217-203019.ckl Scan Date: 2026-03-04T15:25:16.342077 Technology Area: Windows Operating System
V-220952	CAT II	MONT-SW-89134	Microsoft Windows 10 Security Technical ...	Passwords for enabled local Administrator accounts...		-
Check Text If there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the standalone or domain-joined workstation: Open "PowerShell". Enter "Get-LocalUser -Name * \| Select-Object *". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding. Verify LAPS is configured and operational. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. Fix Text Change the enabled local Administrator account password at least every 60 days. Windows LAPS must be used to change the built-in Administrator account password. Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status Finding Details Evaluate-STIG 1.2510.0 (Scan-Windows10_Checks) found this to be OPEN on 12/17/2025 ResultHash: A274B6C9BF0D9AD4F7001AD178081F1387B781F3 ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: AMPerl.IAAdmin SID: S-1-5-21-4004422625-1934610219-1178763574-1021 Enabled: True Password Last Set: 08/13/2023 16:24:18 (857 days ago) Account: dod_admin SID: S-1-5-21-4004422625-1934610219-1178763574-1001 Enabled: True Password Last Set: 01/27/2022 19:37:24 (1420 days ago) Account: jtbegarek.iaadmin SID: S-1-5-21-4004422625-1934610219-1178763574-1026 Enabled: True Password Last Set: 08/20/2025 14:07:02 (119 days ago) Account: scan.admin SID: S-1-5-21-4004422625-1934610219-1178763574-1022 Enabled: True Password Last Set: 03/05/2024 16:39:13 (652 days ago) Account: tljones.iaadmin SID: S-1-5-21-4004422625-1934610219-1178763574-1024 Enabled: True Password Last Set: 08/08/2024 02:24:09 (496 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings \| Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Policy Name: Password Settings \| PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: (NotFound) Value Type: (NotFound) Configured: False [finding] Source: MONT-SW-89134_Win10_V3R5_20251217-201218.ckl Scan Date: 2026-03-04T15:25:42.339596 Technology Area: Windows Operating System

CUI