From Active Directory Domain Security Technical Implementation Guide (STIG)
Part of AD.MP.0003
Associated with IA controls: ECPA-1
Associated with: CCI-000366
AD admin platforms are used for highly privileged activities. The accounts that have administrative privileges on AD admin platforms must not be used on or used to manage any non-AD admin platforms. Otherwise, there would be a clear path for privilege escalation to EA/DA privileges. Where practicable, dedicated domain accounts that are used to manage AD admin platforms should be utilized, but otherwise Enterprise Admin (EA)/Domain Admin (DA) accounts may be used to manage AD admin platforms.
Review the local Administrators group of AD admin platforms. Verify separate domain administrative accounts are used to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used. If accounts used to manage AD admin platforms are used for any non-AD admin platforms, this is a finding.
Use separate domain administrative accounts to manage AD admin platforms from non-AD admin platforms. These should be dedicated domain accounts where practicable. Otherwise EA/DA accounts may be used.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer