Information
This policy setting ensures that only authorized Administrators responsible for the system have administrator rights.
The STIG recommended state for this setting is: Authorized Administrators
Rationale:
A standard user account should not have administrator rights on a system. Having these rights could allow the account if compromised, to bypass or modify required security restrictions on that machine.
Impact:
Standard user accounts must not be members of the domain and built-in Administrators group.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Remove any unauthorized or standard user accounts from the Administrators group.
Stand-alone system
Open Local Users and Groups
Navigate to Groups
Review the Administrators group for unauthorized accounts or standard user accounts that should not have administrator privileges.
Remove any unauthorized or standard user accounts.
Domain-joined system
Open Active Directory Users and Computers
Review the Administrators and Domain Admins groups (which must be replaced with a domain member server administrator group) group for unauthorized accounts or standard user accounts that should not have administrator privileges.
Remove any unauthorized or standard user accounts.
Default Value:
N/A
Additional Information:
Microsoft Windows Server 2019 Security Technical Implementation Guide:
Version 2, Release 1, Benchmark Date: November 13, 2020
Vul ID: V-205746
Rule ID: SV-205746r569188_rule
STIG ID: WN19-MS-000010
Severity: CAT I