| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-254239 | CAT II | SCHR-P3-DP-001 | Microsoft Windows Server 2022 Security T... | Windows Server 2022 passwords for the built-in Adm... | - | |||
Check TextIf there are no enabled local Administrator accounts, this is Not Applicable. Review the password last set date for the enabled local Administrator account. On the stand alone or domain-joined server: Open "PowerShell". Enter "Get-LocalUser | Where-Object {$_.SID -like "*500"} | ForEach-Object ($_.PasswordLastSet){"$($_.Name) password is: $([int]((Get-Date) - $_.PasswordLastSet).TotalDays) days old"}". If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer, this is a finding. Verify LAPS is configured and operational. If the system is a stand alone member server, the LAPS portion of this requirement is Not Applicable. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> System >> LAPS >> Password Settings >> Set to enabled. Password Complexity, large letters + small letters + numbers + special, Password Length 14, Password Age 60. If not configured as shown, this is a finding. Verify LAPS Operational logs >> Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> LAPS >> Operational. Verify LAPS policy process is completing. If it is not, this is a finding. Fix TextChange the enabled local Administrator account password at least every 60 days. For domain-joined systems, Windows LAPS must be used to change the built-in Administrator account password. More information is available at: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747 https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status Finding DetailsEvaluate-STIG 1.2601.0 (Scan-WindowsServer2022_Checks) found this to be OPEN on 03/05/2026 ResultHash: CF568A5923900BF3889A9601FFD0FFE6DEB1930C ~~~~~ Enabled local administrator accounts with a password older than 60 days: --------------------------- Account: DOD_Admin SID: S-1-5-21-2359828523-3188837691-268305261-1000 Enabled: True Password Last Set: 11/11/2025 23:12:23 (113 days ago) LAPS Configuration: --------------------------- Policy Name: Password Settings | Password Complexity Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordComplexity Value: 4 Value Type: REG_DWORD Configured: True Policy Name: Password Settings | Password Length Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordLength Value: 14 Value Type: REG_DWORD Configured: True Policy Name: Password Settings | PasswordAge (Days) Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value Name: PasswordAgeDays Value: 60 Value Type: REG_DWORD Configured: True CommentsWindows Server 2022 passwords for the built-in Administrator account has been changed. This is Not a Finding
Source: SCHR-P3-DP-001_WinServer2022_V2R7_20260305-133436.cklb
Scan Date: 2026-03-05T13:34:36
Technology Area: Windows Operating System
|
||||||||