Standard local user accounts must not exist on a system in a domain.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253272 | WN11-00-000085 | SV-253272r991589_rule | CCI-000366 | low |
| Description | ||||
| To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log on to workstations in a domain with their domain accounts. | ||||
| STIG | Date | |||
| Microsoft Windows 11 Security Technical Implementation Guide | 2025-05-15 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-253272r991589_chk)
Run "Computer Management".
Navigate to System Tools >> Local Users and Groups >> Users.
If local users other than the accounts listed below exist on a workstation in a domain, this is a finding.
For standalone or nondomain-joined systems, this is Not Applicable.
Built-in Administrator account (Disabled)
Built-in Guest account (Disabled)
Built-in DefaultAccount (Disabled)
Built-in defaultuser0 (Disabled)
Built-in WDAGUtilityAccount (Disabled)
Local administrator account(s)
All of the built-in accounts may not exist on a system, depending on the Windows 11 version.
Fix Text (F-56675r828899_fix)
Limit local user accounts on domain-joined systems. Remove any unauthorized local accounts.