User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.

An XCCDF Rule

Description

<VulnDiscussion>User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. The Protected Users group provides extra protections to accounts such as preventing authentication using NTLM. These accounts include Enterprise and Domain Admins as well as other accounts that may have domain level privileges. The Protected Users group requires a domain functional level of at least Windows 2012 R2 to provide domain level protections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-243477r959010_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Add user accounts from the local domain that are members of the domain level administrative groups listed below to the Protected Users group. One account may excluded to ensure availability if there are issues with Kerberos.

Enterprise Admins (Users node)
Domain Admins (Users node)
Schema Admins (Users node)
Administrators (Builtin node)Account Operators (Builtin node)
Backup Operators (Builtin node)

The use of the Protected Users group should be thoroughly tested before fully implementing.

User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.

Description

Remediation - Manual Procedure