Only systems dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36436	AD.MP.0001	SV-47842r2_rule	ECSC-1	Medium

Description
Only domain systems used exclusively to manage Active Directory (referred to as AD admin platforms) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised. This includes not only managing normal users and computers within Active Directory. But also the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations.

Description

Only domain systems used exclusively to manage Active Directory (referred to as AD admin platforms) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised. This includes not only managing normal users and computers within Active Directory. But also the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations.

STIG	Date
Active Directory Domain Security Technical Implementation Guide (STIG)	2014-04-01

Details

Check Text ( C-49399r2_chk )
If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA. Verify that any domain systems used to manage Active Directory remotely are used exclusively for managing Active Directory. If domain systems used for managing Active Directory are used for additional functions, this is a finding. In situations where an additional physical machine dedicated to AD admin tasks is not practicable, virtual machines (VM) may be securely employed in either of the following configurations: -Windows 8, Windows Server 2012 or later for the AD admin management role. -Use local guest VMs running within Hyper-V for all other tasks to include admin roles on other servers as well as any user tasks such as web browsing or email. -Windows 7 or Windows Server 2008 R2 for the AD admin management role. -Use a Type-1 Hypervisor for local guest VMs for other tasks. In either case, the higher integrity AD admin platform must be the host OS, with the lower integrity platforms being in separate guest VMs. The host OS must be configured not to forward the AD admin credentials to the guest VMs or otherwise to make the AD admin credentials available to the guest VMs. Additionally, guest VMs for user and less critical admin activities must apply the security requirements from the applicable STIG, especially so that AD admin accounts are denied all logon types.

Check Text ( C-49399r2_chk )

If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA.

Verify that any domain systems used to manage Active Directory remotely are used exclusively for managing Active Directory. If domain systems used for managing Active Directory are used for additional functions, this is a finding.

In situations where an additional physical machine dedicated to AD admin tasks is not practicable, virtual machines (VM) may be securely employed in either of the following configurations:
-Windows 8, Windows Server 2012 or later for the AD admin management role.
-Use local guest VMs running within Hyper-V for all other tasks to include admin roles on other servers as well as any user tasks such as web browsing or email.

-Windows 7 or Windows Server 2008 R2 for the AD admin management role.
-Use a Type-1 Hypervisor for local guest VMs for other tasks.

In either case, the higher integrity AD admin platform must be the host OS, with the lower integrity platforms being in separate guest VMs. The host OS must be configured not to forward the AD admin credentials to the guest VMs or otherwise to make the AD admin credentials available to the guest VMs. Additionally, guest VMs for user and less critical admin activities must apply the security requirements from the applicable STIG, especially so that AD admin accounts are denied all logon types.

Fix Text (F-49310r1_fix)
Set aside domain systems to manage Active Directory remotely. Ensure they are used only for the purpose of managing Active Directory. Otherwise, use the local domain controller console to manage Active Directory.