Detections
Analytics
WN25-00-000020 - Windows Server 2025 passwords for the built-in Administrator account must be changed at least every 60 days.
Information
The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password may not be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure.It is highly recommended to use Microsoft's Local Administrator Password Solution (LAPS). Domain-joined systems can configure this to occur more frequently. LAPS will change the password every 30 days by default. The authorizing official (AO) still has the overall authority to use another equivalent capability to accomplish the check.
Solution
Change the built-in Administrator account password at least every 60 days.It is highly recommended to use Microsoft's LAPS, which may be used on domain-joined member servers to accomplish this. The AO still has the overall authority to use another equivalent capability to accomplish the check.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2025_V1R1_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows Server 2025 STIG v1r1
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1)(a), CAT|II, CCI|CCI-004066, Rule-ID|SV-277986r1182007_rule, STIG-ID|WN25-00-000020, Vuln-ID|V-277986
Plugin: Windows
Control ID: 9aec5e4180d0e22c49c17282675d32f9f3134757d047b10741d05de05a4b20c6