UCF STIG Viewer Logo

Only systems dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.


Overview

Finding ID Version Rule ID IA Controls Severity
V-36436 AD.MP.0001 SV-47842r4_rule ECSC-1 Medium
Description
Only domain systems used exclusively to manage Active Directory (referred to as AD admin platforms) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised. This includes the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as domain level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations. Some maintenance activities may be delegated and do not require the use of an AD admin platform. These include non-domain level activities such as user and computer management as well as group policy maintenance in site defined organizational units. Accounts that have been delegated these activities must not be members of Domain or Enterprise Admin groups. These activities may still be performed with the use of an AD admin platform for the additional protections they provide.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-12-18

Details

Check Text ( C-58505r2_chk )
If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA.

Verify that any domain systems used to manage Active Directory remotely are used exclusively for managing Active Directory. If domain systems used for managing Active Directory are used for additional functions, this is a finding.

In situations where an additional physical machine dedicated to AD admin tasks is not practicable, virtual machines (VM) may be securely employed in either of the following configurations:
-Windows 8, Windows Server 2012 or later for the AD admin management role.
-Use local guest VMs running within Hyper-V for all other tasks to include admin roles on other servers as well as any user tasks such as web browsing or email.

-Use a Type-1 Hypervisor with separate guest VMs for AD admin management roles and any other roles.

In either case, the higher integrity AD admin platform and the lower integrity platforms must be separate. The AD admin platform must be configured not to forward the AD admin credentials to other guest VMs or to make the AD admin credentials available to other guest VMs. Additionally, guest VMs for user and less critical admin activities must apply the security requirements from the applicable STIG, especially so that AD admin accounts are denied all logon types.
Fix Text (F-49310r1_fix)
Set aside domain systems to manage Active Directory remotely. Ensure they are used only for the purpose of managing Active Directory. Otherwise, use the local domain controller console to manage Active Directory.