UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Policy must require that administrative accounts not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.


Overview

Finding ID Version Rule ID IA Controls Severity
V-36451 WN12-00-000008 SV-51578r1_rule ECSC-1 High
Description
Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy requires administrative accounts to not access the Internet or use applications, such as email. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.
STIG Date
Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide 2015-09-02

Details

Check Text ( C-46841r2_chk )
Determine whether site policy prohibits the use of applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, by administrative accounts, except as necessary for local service administration. If it does not, this is a finding.
Fix Text (F-44707r2_fix)
Establish a site policy to prohibit the use of applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, by administrative accounts. Ensure the policy is enforced.