The Directory Service Restore Mode (DSRM) password must be changed at least annually.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-25840 | AD.0151 | SV-32179r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| This is a tremendously powerful password which should be changed periodically. This password is unique to each DC and is used to logon to a DC when rebooting into the server recovery mode. With a weak or known password, anyone with local access to the DC can reboot this machine, copy or modify the Active Directory database, and reboot the server without leaving any trace of the activity. Failure to change the DSRM password periodically could allow a compromised resource (maliciously or through personnel turnover) to go undetected for an extended period. Failure to change the DSRM password could allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery. |
| STIG | Date |
|---|---|
| Active Directory Domain Security Technical Implementation Guide (STIG) | 2011-05-12 |
Details
| Check Text ( C-32375r1_chk ) |
|---|
| 1. Interview the IAM. 2. Obtain a copy of the site’s policy that addresses password change frequency. 3. Check that the policy addresses the requirement for the DSRM password to be changed at least yearly. Alternatively review logs or other evidence that indicates that the password has been changed within the last year. Note that there is no known method to check password age online while the server is active as a domain controller. 4. If there is no policy for changing the DSRM password at least yearly or no indication that it has been changed within the last year, then this is a finding. |
| Fix Text (F-28702r1_fix) |
|---|
| Create or implement a local site policy to change the DSRM password at least yearly. |