The number of member accounts in privileged groups must not be excessive.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8548	AD.0240	SV-9045r2_rule	ECLP-1 ECPA-1	Medium

Description
Membership in the following Windows security groups assigns a high privilege level for AD functions: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders. When a large number of users are members of highly privileged groups, the risk from unintended updates or compromised accounts is significantly increased. A lack of specific baseline documentation on privileged group membership makes it impossible to determine if the assigned accounts are consistent with the intended security policy. Further Policy Details: It is possible to move the highly privileged AD security groups out of the AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners groups are not in the AD Users container, ask the SA for the new location and use that location for this check.

Description

Membership in the following Windows security groups assigns a high privilege level for AD functions: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders. When a large number of users are members of highly privileged groups, the risk from unintended updates or compromised accounts is significantly increased. A lack of specific baseline documentation on privileged group membership makes it impossible to determine if the assigned accounts are consistent with the intended security policy. Further Policy Details: It is possible to move the highly privileged AD security groups out of the AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners groups are not in the AD Users container, ask the SA for the new location and use that location for this check.

STIG	Date
Active Directory Domain Security Technical Implementation Guide (STIG)	2016-02-19

Details

Check Text ( C-7707r1_chk )
1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”). 2. Select and expand the left pane item that matches the name of the domain being reviewed. 3. Select the Built-in container. If the Incoming Forest Trust Builders group is defined perform the following: a. Double-click on the group and select the Members tab b. Count the number of accounts in the group c. Compare the accounts in the group with the local documentation. 4. Select the Users container. For each of the Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners groups perform the following: a. Double-click on the group and select the Members tab b. Count the number of accounts in the group c. Compare the accounts in the group with the local documentation. 5. If an account in a highly privileged AD security group is not listed in the local documentation, then this is a finding. 6. If the number of accounts defined in a highly privileged AD security group is greater than the number below, review the site documentation that justifies this number. a. For the Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders groups, the number of accounts should be between zero (0) and five (5). b. The number of Domain Admins should be between one (1) and ten (10). 7. If the number of accounts defined in a highly privileged AD security group is greater than the guidance above and there is no documentation that justifies the number, then this is a finding.

Check Text ( C-7707r1_chk )

1. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”).

2. Select and expand the left pane item that matches the name of the domain being reviewed.

3. Select the Built-in container. If the Incoming Forest Trust Builders group is defined perform the following:
a. Double-click on the group and select the Members tab
b. Count the number of accounts in the group
c. Compare the accounts in the group with the local documentation.

4. Select the Users container. For each of the Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners groups perform the following:
a. Double-click on the group and select the Members tab
b. Count the number of accounts in the group
c. Compare the accounts in the group with the local documentation.

5. If an account in a highly privileged AD security group is not listed in the local documentation, then this is a finding.

6. If the number of accounts defined in a highly privileged AD security group is greater than the number below, review the site documentation that justifies this number.
a. For the Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders groups, the number of accounts should be between zero (0) and five (5).
b. The number of Domain Admins should be between one (1) and ten (10).

7. If the number of accounts defined in a highly privileged AD security group is greater than the guidance above and there is no documentation that justifies the number, then this is a finding.

Fix Text (F-8068r1_fix)
Update the site documentation to include all the accounts that are members of highly privileged groups. Annotate the account list(s) with a statement such as, “The high number of privileged accounts is required to address site operational requirements.” Reduce the number of accounts in highly privileged groups to the minimum level necessary.