UCF STIG Viewer Logo

Separate domain administrative accounts must be used to manage AD admin platforms from any domain accounts used on, or used to manage, non-AD admin platforms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43711 AD.MP.0003 SV-56532r1_rule ECPA-1 Medium
Description
AD admin platforms are used for highly privileged activities. The accounts that have administrative privileges on AD admin platforms must not be used on or used to manage any non-AD admin platforms. Otherwise, there would be a clear path for privilege escalation to EA/DA privileges. Where practicable, dedicated domain accounts that are used to manage AD admin platforms should be utilized, but otherwise Enterprise Admin (EA)/Domain Admin (DA) accounts may be used to manage AD admin platforms.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-04-01

Details

Check Text ( C-49401r1_chk )
Review the local Administrators group of AD admin platforms. Verify separate domain administrative accounts are used to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used. If accounts used to manage AD admin platforms are used for any non-AD admin platforms, this is a finding.
Fix Text (F-49312r1_fix)
Use separate domain administrative accounts to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used.