Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-43711 | AD.MP.0003 | SV-56532r2_rule | ECPA-1 | Medium |
Description |
---|
AD admin platforms are used for highly privileged activities. The accounts that have administrative privileges on AD admin platforms must not be used on or used to manage any non-AD admin platforms. Otherwise, there would be a clear path for privilege escalation to EA/DA privileges. Where practicable, dedicated domain accounts that are used to manage AD admin platforms should be utilized, but otherwise Enterprise Admin (EA)/Domain Admin (DA) accounts may be used to manage AD admin platforms. |
STIG | Date |
---|---|
Active Directory Domain Security Technical Implementation Guide (STIG) | 2016-02-19 |
Check Text ( C-49401r1_chk ) |
---|
Review the local Administrators group of AD admin platforms. Verify separate domain administrative accounts are used to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used. If accounts used to manage AD admin platforms are used for any non-AD admin platforms, this is a finding. |
Fix Text (F-49312r1_fix) |
---|
Use separate domain administrative accounts to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used. |