UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Directory Service Restore Mode (DSRM) password must be changed at least annually.


Overview

Finding ID Version Rule ID IA Controls Severity
V-25840 AD.0151 SV-32179r2_rule IAIA-1 IAIA-2 Medium
Description
This is a tremendously powerful password which should be changed periodically. This password is unique to each DC and is used to logon to a DC when rebooting into the server recovery mode. With a weak or known password, anyone with local access to the DC can reboot this machine, copy or modify the Active Directory database, and reboot the server without leaving any trace of the activity. Failure to change the DSRM password periodically could allow a compromised resource (maliciously or through personnel turnover) to go undetected for an extended period. Failure to change the DSRM password could allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2016-02-19

Details

Check Text ( C-32375r1_chk )
1. Interview the IAM.

2. Obtain a copy of the site’s policy that addresses password change frequency.

3. Check that the policy addresses the requirement for the DSRM password to be changed at least yearly. Alternatively review logs or other evidence that indicates that the password has been changed within the last year.
Note that there is no known method to check password age online while the server is active as a domain controller.

4. If there is no policy for changing the DSRM password at least yearly or no indication that it has been changed within the last year, then this is a finding.
Fix Text (F-28702r1_fix)
Create or implement a local site policy to change the DSRM password at least yearly.