Check: WPAW-00-001300
Microsoft Windows PAW STIG:
WPAW-00-001300
(in versions v3 r1 through v1 r1)
Title
A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource. (Cat I impact)
Discussion
Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised. For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations.
Check Content
If domain controllers and directory services are only managed with local logons to domain controllers, not remotely, this requirement is not applicable. Discuss with the Information System Security Manager (ISSM) or PAW system administrators and review any available site documentation. Verify that a site has designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers. Review any available site documentation. Verify that any PAW used to manage domain controllers and directory services remotely are used exclusively for managing domain controllers and directory services. If the site has not designated specific PAWs for the sole purpose of remote management of domain controllers and directory service servers, this is a finding. If PAWs used for managing domain controllers and directory services are used for additional functions, this is a finding.
Fix Text
Set aside one or more PAWs for remote management of Active Directory. Ensure they are used only for the purpose of managing directory services. Otherwise, use the local domain controller console to manage Active Directory.
Additional Identifiers
Rule ID: SV-243454r958514_rule
Vulnerability ID: V-243454
Group Title: SRG-OS-000132-GPOS-00067
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001082 |
Separate user functionality, including user interface services, from system management functionality. |
Controls
Number | Title |
---|---|
SC-2 |
Application Partitioning |