From Active Directory Domain Security Technical Implementation Guide (STIG)
Part of AD.0240
Associated with: CCI-000366
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary membership increases the risk from compromise or unintended updates. Members of these groups must specifically require those privileges and be documented.
Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"). Review the membership of the "Incoming Forest Trust Builders" group. Navigate to the "Built-in" container. Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab. If any accounts are not documented as necessary with the ISSO, this is a finding. Review the membership of the "Group Policy Creator Owner" group. Navigate to the "Users" container. Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab. If any accounts are not documented as necessary with the ISSO, this is a finding. It is possible to move some system-defined groups from their default locations. If a group is not in the location noted, review other containers to locate.
Document membership of the Group Policy Creator Owners and Incoming Forest Trust Builders groups. Remove any accounts that do not require the privileges these groups assign.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer