User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.

From Active Directory Domain Security Technical Implementation Guide (STIG)

Part of Object Ownership Delegation

Associated with IA controls: ECPA-1, ECLP-1

Associated with: CCI-000366

SV-9018r3_rule User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.

Vulnerability discussion

In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user support staff.) This is done to avoid the need to assign users to Windows groups with more widely ranging privileges. If a user with delegated authority to user accounts in a specific OU is also a member of the Administrators group, that user has the ability to reconfigure a wide range of domain security settings and change user accounts outside of the OU to which s/he is a delegated authority. A lack of specific baseline documentation of accounts with delegated privileges makes it impossible to determine if the configured privileges are consistent with the intended security policy.

Check content

1. Interview the IAM or site representative and obtain the list of accounts that have been delegated AD object ownership or update permissions and that are not members of Windows built-in administrative groups. (This includes accounts for help desk or support personnel who are not Administrators, but have authority in AD to maintain user accounts or printers.) 2. If accounts with delegated authority are defined and there is no list, then this is a finding. 3. Count the number of accounts on the list. 4. If the number of accounts with delegated authority is greater than 10, review the site documentation that justifies this number. Validate that the IAM explicitly acknowledges the need to have a high number of privileged users. 5. If the number of accounts with delegated authority is greater than 10 and there is no statement in the documentation that justifies the number, then this is a finding.

Fix text

1. Remove user accounts with delegated authority from Windows built-in administrative groups or remove the delegated authority from the accounts. 2. Document all user accounts with delegated AD object ownership or update authority. 3. Annotate the account list with a statement such as, “The high number of privileged accounts is required to address site operational requirements.” 4. Reduce the number of user accounts with delegated AD object ownership or update authority.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer