Unused accounts must be disabled or removed from the system after 35 days of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-220711 | WN10-00-000065 | SV-220711r1051018_rule | CCI-003627 | low |
| Description | ||||
| Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed. | ||||
| STIG | Date | |||
| Microsoft Windows 10 Security Technical Implementation Guide | 2025-02-25 | |||
Details
Check Text (C-220711r1051018_chk)
Run "PowerShell".
Copy the lines below to the PowerShell window and enter.
"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach {
$user = ([ADSI]$_.Path)
$lastLogin = $user.Properties.LastLogin.Value
$enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2
if ($lastLogin -eq $null) {
$lastLogin = 'Never'
}
Write-Host $user.Name $lastLogin $enabled
}"
This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False).
For example: User1 10/31/2015 5:49:56 AM True
Review the list to determine the finding validity for each account reported.
Exclude the following accounts:
Built-in administrator account (Disabled, SID ending in 500)
Built-in guest account (Disabled, SID ending in 501)
Built-in DefaultAccount (Disabled, SID ending in 503)
Local administrator account
If any enabled accounts have not been logged on to within the past 35 days, this is a finding.
Inactive accounts that have been reviewed and deemed to be required must be documented with the information system security officer (ISSO).
Fix Text (F-22415r997897_fix)
Regularly review local accounts and verify their necessity. Disable or delete any active accounts that have not been used in the last 35 days.