Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Microsoft Windows PAW Security Technical Implementation Guide
SRG-OS-000132-GPOS-00067
A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.
A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.
An XCCDF Rule
Details
Profiles
Prose
A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.
High Severity
<VulnDiscussion>Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised. For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>