20.45 Ensure 'Outdated or unused accounts are removed or disabled'

Information

This policy setting ensures that all outdated or unused accounts are removed or disabled.

The recommended STIG state for this setting is: 35 days or older

Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.

Impact:

Outdated or unused accounts that are older than 35 days will be deleted or disabled.

See Also

https://workbench.cisecurity.org/benchmarks/15105