From Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide
Part of Users with Administrative Privilege
Associated with: CCI-000366
Using a privileged account to perform routine functions makes the computer vulnerable to attack by any virus or Trojan Horse inadvertently introduced during a session that has been granted full privileges.
Ask the System Administrator (SA) to show the necessary documentation that identifies the members of this privileged group. This check verifies each user with administrative privileges has been assigned a unique account, separate from the built-in “Administrator” account. This check also verifies the default “Administrator” account is not being used. Administrators should be properly trained before being permitted to perform administrator duties. The IAO will maintain a list of all users belonging to the Administrator’s group. If any of the following conditions are true, then this is a finding: -Each SA does not have a unique userid dedicated for administering the system. -Each SA does not have a separate account for normal user tasks. -The built-in administrator account is used to administer the system. -Administrators have not been properly trained. -The IAO does not maintain a list of users belonging to the Administrator’s group.
Create the necessary documentation that identifies the members of this privileged group. Ensure each member has a separate account for user duties and one for his privileged duties and the other requirements outlined in the manual check are met.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer