The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.

From Windows PAW Security Technical Implementation Guide

Part of PAW-00-001200

Associated with: CCI-000366

SV-92873r1_rule The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.

Vulnerability discussion

If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from threats from high-risk trust zones. Blocking logon to lower-tier assets helps protect IT resources in a tier from being attacked from a lower tier.

Check content

Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts. This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights: Deny log on as a batch job Deny log on as a service Deny log on locally If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding. Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations. Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.

Fix text

Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts. Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights: Deny log on as a batch job Deny log on as a service Deny log on locally Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer