CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd:PasswordComplexity

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled , and configure the Password Complexity optionto Large letters + small letters + numbers + special characters :

Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings

Note: This Group Policy path does not exist by default. An additional Group Policy template ( AdmPwd.admx/adml ) isrequired - it is included with Microsoft Local Administrator Password Solution (LAPS).

Impact:

LAPS-generated passwords will be required to contain large letters + small letters + numbers + special characters.

Default Value:

Large letters + small letters + numbers + special characters.

519 | P a g e