Active Directory Domain Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
<VulnDiscussion>The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Dire...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
<VulnDiscussion>The Domain Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Director...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Administrators must have separate accounts specifically for managing domain member servers.
<VulnDiscussion>Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Administrators must have separate accounts specifically for managing domain workstations.
<VulnDiscussion>Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Delegation of privileged accounts must be prohibited.
<VulnDiscussion>Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing p...Rule High Severity -
SRG-OS-000112
<GroupDescription></GroupDescription>Group -
Local administrator accounts on domain systems must not share the same password.
<VulnDiscussion>Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharin...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
<VulnDiscussion>A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys fo...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
<VulnDiscussion>Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this i...Rule Medium Severity -
SRG-OS-000076
<GroupDescription></GroupDescription>Group -
Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.
<VulnDiscussion>NT hashes of passwords for accounts that are not changed regularly are susceptible to reuse by attackers using Pass-the-Hash....Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.