Only Privileged Access Workstations (PAWs) dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36436	AD.MP.0001	SV-47842r5_rule		Medium

Description
Only domain systems used exclusively to manage Active Directory, referred to as Privileged Access Workstations (PAWs) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised. This includes the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as domain level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations. Some maintenance activities may be delegated and do not require the use of an AD admin platform. These include non-domain level activities such as user and computer management as well as group policy maintenance in site defined organizational units. Accounts that have been delegated these activities must not be members of Domain or Enterprise Admin groups. These activities may still be performed with the use of an AD admin platform for the additional protections they provide. See the Windows Privileged Access Workstation (PAW) STIG for additional configuration requirements.

Description

Only domain systems used exclusively to manage Active Directory, referred to as Privileged Access Workstations (PAWs) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised. This includes the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as domain level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations. Some maintenance activities may be delegated and do not require the use of an AD admin platform. These include non-domain level activities such as user and computer management as well as group policy maintenance in site defined organizational units. Accounts that have been delegated these activities must not be members of Domain or Enterprise Admin groups. These activities may still be performed with the use of an AD admin platform for the additional protections they provide. See the Windows Privileged Access Workstation (PAW) STIG for additional configuration requirements.

STIG	Date
Active Directory Domain Security Technical Implementation Guide (STIG)	2018-09-13

Details

Check Text ( C-80167r2_chk )
If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA. Verify that any PAWs used to manage Active Directory remotely are used exclusively for managing Active Directory. If PAWs used for managing Active Directory are used for additional functions, this is a finding.

Fix Text (F-87299r2_fix)
Use PAWs to manage Active Directory remotely. Ensure they are used only for the purpose of managing Active Directory. Otherwise, use the local domain controller console to manage Active Directory. See the Windows Privileged Access Workstation (PAW) STIG for additional configuration requirements.