A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.
An XCCDF Rule
Description
<VulnDiscussion>Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised. For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-243454r722933_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Set aside one or more PAWs for remote management of Active Directory.
Ensure they are used only for the purpose of managing directory services. Otherwise, use the local domain controller console to manage Active Directory.