Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
An XCCDF Rule
Description
<VulnDiscussion>Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this is not possible, lateral movement from these servers must be mitigated within the forest. Having different domain accounts for administering domain joined public facing servers, from domain accounts used on internal servers, protects against an attacker's lateral movement from a compromised public facing server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-243473r723565_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
If the domain does not have any public facing servers, this is NA.
Configure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group.
For public facing servers, replace the Domain Admins group with a domain member server administrator group whose members are different from any used to manage internal servers.