Unused accounts must be disabled or removed from the system after 35 days of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253268 | WN11-00-000065 | SV-253268r1051039_rule | CCI-000172 | low |
| Description | ||||
| Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed. Satisfies: SRG-OS-000468-GPOS-00212, SRG-OS-000118-GPOS-00060 | ||||
| STIG | Date | |||
| Microsoft Windows 11 Security Technical Implementation Guide | 2025-05-15 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-12
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000172
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-253268r1051039_chk)
Run "PowerShell".
Copy the lines below to the PowerShell window and enter.
"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {
$user = ([ADSI]$_.Path)
$lastLogin = $user.Properties.LastLogin.Value
$enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2
if ($lastLogin -eq $null) {
$lastLogin = 'Never'
}
Write-Host $user.Name $lastLogin $enabled
}"
This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).
For example: User1 10/31/2015 5:49:56 AM True
Review the list to determine the finding validity for each account reported.
Exclude the following accounts:
Built-in administrator account (Disabled, SID ending in 500)
Built-in guest account (Disabled, SID ending in 501)
Built-in DefaultAccount (Disabled, SID ending in 503)
Local administrator account
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).
Fix Text (F-56671r828887_fix)
Review local accounts and verify their necessity. Disable or delete any active accounts that have not been used in the last 35 days.