Local administrator accounts on domain systems must not share the same password.

An XCCDF Rule

Description

<VulnDiscussion>Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharing the same password for local administrator accounts on domain systems will allow an attacker to move laterally and compromise multiple domain systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-243471r854327_rule
Severity: Medium
References: CCI-001941
Updated: about 1 year ago

Set unique passwords for all local administrator accounts on domain systems. 

It is highly recommended to use Microsoft's LAPS, which provides an automated solution for maintaining and regularly changing a local administrator password for domain-joined systems. If additional local administrator accounts exist across systems, the organization must have a process to require unique passwords on each system for the additional accounts.

The AO may approve other automated solutions that provide this capability.
See Microsoft Security Advisory 3062591 for additional information and download of LAPS.
https://www.microsoft.com/en-us/download/details.aspx?id=46899

Local administrator accounts on domain systems must not share the same password.

Description

Remediation - Manual Procedure