The Directory Service Restore Mode (DSRM) password must be changed at least annually.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-25840	AD.0151	SV-32179r3_rule		Medium

Description
The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someone with local access to the DC can reboot the server and copy or modify the Active Directory database without leaving any trace of the activity. Failure to change the DSRM password periodically could allow compromised of the Active Directory. It could also allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery.

Description

The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someone with local access to the DC can reboot the server and copy or modify the Active Directory database without leaving any trace of the activity. Failure to change the DSRM password periodically could allow compromised of the Active Directory. It could also allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery.

STIG	Date
Active Directory Domain Security Technical Implementation Guide (STIG)	2017-12-15

Details

Check Text ( C-72941r2_chk )
Verify the organization has a process that addresses DSRM password change frequency. If DSRM passwords are not changed at least annually, this is a finding.

Fix Text (F-79247r1_fix)
Change the DSRM password at least annually.