Title

The Directory Service Restore Mode (DSRM) passwords must be changed on each Domain Controller (DC) at least annually. (Cat II impact)

Discussion

The DSRM password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someone with local access to the DC can reboot the server and copy or modify the Active Directory database without leaving any trace of the activity. Failure to change the DSRM password periodically could allow compromise of the Active Directory. It could also allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery. Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on a Microsoft Entra-joined or Windows Server Active Directory-joined devices. Windows LAPS can also be used to automatically manage and back up the DSRM account password on a Windows Server Active Directory DC. An authorized administrator can retrieve the DSRM password and use it.

Check Content

Verify the DSRM password for each DC is changed at least annually. If logs are retained locally for a sufficient amount of time to capture the log event, the following command will indicate the password reset: PS C:\> Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4794} | Format-Table -Property TimeCreated, Message TimeCreated Message ----------- ------- 10/29/2025 4:47:12 PM An attempt was made to set the Directory Services Restore Mode... If logs are not available, review the site processes around DSRM password reset to determine compliance. If DSRM passwords are not changed for each DC in the domain at least annually, this is a finding.

Fix Text

Change the DSRM passwords on each DC at least annually with the following commands: C:\> ntdsutil C:\Windows\system32\ntdsutil.exe: Set DSRM Password Reset DSRM Administrator Password: Reset Password on server <servername> Follow prompts to reset the password.

Additional Identifiers

Rule ID: SV-243479r1153403_rule

Vulnerability ID: V-243479

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.