Only Privileged Access Workstations (PAWs) dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.

From Active Directory Domain Security Technical Implementation Guide (STIG)

Part of Dedicated Systems for Managing Active Directory

Associated with: CCI-001082

SV-47842r5_rule Only Privileged Access Workstations (PAWs) dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.

Vulnerability discussion

Only domain systems used exclusively to manage Active Directory, referred to as Privileged Access Workstations (PAWs) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised.This includes the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as domain level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations.Some maintenance activities may be delegated and do not require the use of an AD admin platform. These include non-domain level activities such as user and computer management as well as group policy maintenance in site defined organizational units. Accounts that have been delegated these activities must not be members of Domain or Enterprise Admin groups. These activities may still be performed with the use of an AD admin platform for the additional protections they provide.See the Windows Privileged Access Workstation (PAW) STIG for additional configuration requirements.

Check content

If Active Directory is only managed with local logons to domain controllers, not remotely, this can be marked NA. Verify that any PAWs used to manage Active Directory remotely are used exclusively for managing Active Directory. If PAWs used for managing Active Directory are used for additional functions, this is a finding.

Fix text

Use PAWs to manage Active Directory remotely. Ensure they are used only for the purpose of managing Active Directory. Otherwise, use the local domain controller console to manage Active Directory. See the Windows Privileged Access Workstation (PAW) STIG for additional configuration requirements.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer