WPAW-00-001300 - A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Domain controllers (DC) are usually the most sensitive, high-value IT resources in a domain. Dedicating a PAW to be used solely for managing domain controllers will aid in protecting privileged domain accounts from being compromised.

For Windows, this includes the management of Active Directory itself and the DCs that run Active Directory, including such activities as domain-level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backup and restore operations.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Set aside one or more PAWs for remote management of Active Directory.

Ensure they are used only for the purpose of managing directory services. Otherwise, use the local domain controller console to manage Active Directory.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V2R2_STIG.zip

Item Details

References: CAT|I, CCI|CCI-001082, Rule-ID|SV-243454r722933_rule, STIG-ID|WPAW-00-001300, STIG-Legacy|SV-92875, STIG-Legacy|V-78169, Vuln-ID|V-243454

Plugin: Windows

Control ID: ce601579e94c810d36ccb61d31b9ca6199f6b8bcdee2d9113f3b6d511d503b14