A group must be defined on domain systems to include all local administrator accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-45589	WN12-GE-000200-MS	SV-58487r2_rule	ECLP-1	Low

Description
Several user rights on domain systems require that local administrator accounts be assigned to them. This is separate from the built-in Administrators group, which also contains domain administrative accounts/groups. Defining a consistent group name allows compliance to be more easily determined.

STIG	Date
Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Guide	2014-12-18

Details

Check Text ( C-58023r2_chk )
This requirement is NA for non domain-joined systems. This requirement may be satisfied by the existence of the new built-in security groups "Local account" or "Local account and member of Administrators group". Execute the following PowerShell commands to determine if the new built-in security groups exist on the system: $SID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113") $Account = $SID.Translate([System.Security.Principal.NTAccount]) $Account.Value If the group exists, "NT Authority\Local account" will be returned. (Using SID S-1-5-114 will return "NT Authority\Local account and member of Administrators group".) If the built-in groups exist, this is not a finding. If the built-in groups do not exist on the system, review local groups defined on the system. Documentation and scripts supporting the creation of this group to restrict local administrative accounts were changed at one point. The original name, "DeniedNetworkAccess", was changed to "DenyNetworkAccess". Automated benchmarks will look for either of these groups. If the group "DenyNetworkAccess" or "DeniedNetworkAccess" does not exist, this is a finding. Compare the membership of the defined group with the local Administrators group. Verify the group includes all local administrator accounts as members. This includes the built-in Administrator account. It does not include domain administrative accounts or groups. If the group "DenyNetworkAccess" or "DeniedNetworkAccess" does not include all local administrator accounts, this is a finding. Windows 8.1 and Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group", for assigning permissions and rights to local accounts. Microsoft Security Advisory Patch 2871997 adds these groups to Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account". Automated benchmarks will look for the groups referenced in the requirement. Use of other methods will require manual validation.

Check Text ( C-58023r2_chk )

This requirement is NA for non domain-joined systems.

*This requirement may be satisfied by the existence of the new built-in security groups "Local account" or "Local account and member of Administrators group".

Execute the following PowerShell commands to determine if the new built-in security groups exist on the system:

$SID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-113")
$Account = $SID.Translate([System.Security.Principal.NTAccount])
$Account.Value

If the group exists, "NT Authority\Local account" will be returned.
(Using SID S-1-5-114 will return "NT Authority\Local account and member of Administrators group".)

If the built-in groups exist, this is not a finding.

If the built-in groups do not exist on the system, review local groups defined on the system.

Documentation and scripts supporting the creation of this group to restrict local administrative accounts were changed at one point. The original name, "DeniedNetworkAccess", was changed to "DenyNetworkAccess". Automated benchmarks will look for either of these groups.

If the group "DenyNetworkAccess" or "DeniedNetworkAccess" does not exist, this is a finding.

Compare the membership of the defined group with the local Administrators group.
Verify the group includes all local administrator accounts as members.
This includes the built-in Administrator account. It does not include domain administrative accounts or groups.

If the group "DenyNetworkAccess" or "DeniedNetworkAccess" does not include all local administrator accounts, this is a finding.

*Windows 8.1 and Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group", for assigning permissions and rights to local accounts.
Microsoft Security Advisory Patch 2871997 adds these groups to Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.
Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account".

Automated benchmarks will look for the groups referenced in the requirement. Use of other methods will require manual validation.

Fix Text (F-62385r3_fix)
This requirement is NA for non domain-joined systems. This requirement is satisfied by the new built-in security groups below for Windows 2012 R2 systems. Apply the patch to Windows 2012 that creates the new built-in security groups, "Local account" and "Local account and member of Administrators group". Or create the required groups defined below. Documentation and scripts supporting the creation of this group to restrict local administrative accounts were changed at one point. The original name, "DeniedNetworkAccess", was changed to "DenyNetworkAccess". Automated benchmarks will look for either of these groups. Create a local group with the name "DenyNetworkAccess" or "DeniedNetworkAccess". Include all local administrator accounts as members of the group, including the built-in Administrator account. Do not include domain administrative accounts or groups. *Windows 8.1 and Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group", for assigning permissions and rights to local accounts. Microsoft Security Advisory Patch 2871997 adds these groups to Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account". Automated benchmarks will look for the groups referenced in the requirement. Use of other methods will require manual validation.

Fix Text (F-62385r3_fix)

This requirement is NA for non domain-joined systems.

*This requirement is satisfied by the new built-in security groups below for Windows 2012 R2 systems.

*Apply the patch to Windows 2012 that creates the new built-in security groups, "Local account" and "Local account and member of Administrators group".

Or create the required groups defined below.

Documentation and scripts supporting the creation of this group to restrict local administrative accounts were changed at one point. The original name, "DeniedNetworkAccess", was changed to "DenyNetworkAccess". Automated benchmarks will look for either of these groups.

Create a local group with the name "DenyNetworkAccess" or "DeniedNetworkAccess". Include all local administrator accounts as members of the group, including the built-in Administrator account. Do not include domain administrative accounts or groups.

*Windows 8.1 and Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group", for assigning permissions and rights to local accounts.
Microsoft Security Advisory Patch 2871997 adds these groups to Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.
Use these groups instead of creating a group for local administrator accounts to apply to deny rights where required. Assign the group "Local account and member of Administrators group" or the more restrictive "Local account".

Automated benchmarks will look for the groups referenced in the requirement. Use of other methods will require manual validation.