The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-78167	WPAW-00-001200	SV-92873r1_rule		Medium

Description
If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from threats from high-risk trust zones. Blocking logon to lower-tier assets helps protect IT resources in a tier from being attacked from a lower tier.

STIG	Date
Windows PAW Security Technical Implementation Guide	2020-05-15

Details

Check Text ( C-77733r1_chk )
Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts. This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights: Deny log on as a batch job Deny log on as a service Deny log on locally If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding. Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations. Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.

Check Text ( C-77733r1_chk )

Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts.

This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights:

Deny log on as a batch job
Deny log on as a service
Deny log on locally

If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding.

Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.

Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.

Fix Text (F-84889r1_fix)
Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts. Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights: Deny log on as a batch job Deny log on as a service Deny log on locally Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.

Fix Text (F-84889r1_fix)

Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts.

Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights:

Deny log on as a batch job
Deny log on as a service
Deny log on locally

Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.