Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-78169 | WPAW-00-001300 | SV-92875r1_rule | High |
Description |
---|
Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised. For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations. |
STIG | Date |
---|---|
Windows PAW Security Technical Implementation Guide | 2020-05-15 |
Check Text ( C-77735r1_chk ) |
---|
If domain controllers and directory services are only managed with local logons to domain controllers, not remotely, this requirement is not applicable. Discuss with the Information System Security Manager (ISSM) or PAW system administrators and review any available site documentation. Verify that a site has designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers. Review any available site documentation. Verify that any PAW used to manage domain controllers and directory services remotely are used exclusively for managing domain controllers and directory services. If the site has not designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers, this is a finding. If PAWs used for managing domain controllers and directory services are used for additional functions, this is a finding. |
Fix Text (F-84891r1_fix) |
---|
Set aside one or more PAWs for remote management of Active Directory. Ensure they are used only for the purpose of managing directory services. Otherwise, use the local domain controller console to manage Active Directory. |