Skip to content

III - Administrative Public

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.

    &lt;VulnDiscussion&gt;Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.

    &lt;VulnDiscussion&gt;In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for h...
    Rule Low Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.

    &lt;VulnDiscussion&gt;The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Usage of administrative accounts must be monitored for suspicious and anomalous activity.

    &lt;VulnDiscussion&gt;Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be in...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Systems must be monitored for attempts to use local accounts to log on remotely from other systems.

    &lt;VulnDiscussion&gt;Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a P...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Systems must be monitored for remote desktop logons.

    &lt;VulnDiscussion&gt;Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstat...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.

    &lt;VulnDiscussion&gt;Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents includ...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Each cross-directory authentication configuration must be documented.

    &lt;VulnDiscussion&gt;Active Directory (AD) external, forest, and realm trust configurations are designed to extend resource access to a wider rang...
    Rule Low Severity
  • SRG-OS-000423

    <GroupDescription></GroupDescription>
    Group
  • A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.

    &lt;VulnDiscussion&gt;The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentic...
    Rule Medium Severity
  • SRG-OS-000480

    <GroupDescription></GroupDescription>
    Group
  • Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.

    &lt;VulnDiscussion&gt;Membership in certain default directory groups assigns a high privilege level for access to the directory. In AD, membership ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules