Communications from AD admin platforms must be blocked, except with the domain controllers being managed.

From Active Directory Domain Security Technical Implementation Guide (STIG)

Associated with IA controls: ECSC-1

Associated with: CCI-001084

SV-56888r2_rule Communications from AD admin platforms must be blocked, except with the domain controllers being managed.

Vulnerability discussion

AD admin platforms are used for highly privileged activities. Preventing communications to and from AD admin platforms, except with the domain controllers being managed, protects against an attacker's lateral movement from a compromised platform.Requirements in Firewall and Windows client STIGs restrict inbound communications, however outbound communications must be restricted as well to prevent inadvertent exposure of the privileged credentials used on these platforms.

Check content

Verify firewall rules prevent outbound communications from AD admin platforms, except for domain controllers being managed. If outbound communications are allowed between AD admin platforms and any other systems other than domain controllers, this is a finding.

Fix text

Maintain firewall rules to prevent outbound communications from AD admin platforms, except with domain controllers being managed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.