Detections
Analytics
WPAW-00-001200 - The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts.
Information
If the domain is not configured to restrict privileged administrator accounts from logging on to lower-tier hosts, it would be impossible to isolate administrative accounts to specific trust zones and protect IT resources from threats from high-risk trust zones. Blocking logon to lower-tier assets helps protect IT resources in a tier from being attacked from a lower tier.Solution
Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts.Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights:
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V3R2_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows PAW STIG v3r2
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243453r991589_rule, STIG-ID|WPAW-00-001200, STIG-Legacy|SV-92873, STIG-Legacy|V-78167, Vuln-ID|V-243453
Plugin: Windows
Control ID: 7c193a0f90adc57cf63a1bcd5781321e00cc653d3ad0fc29ad33085d2ff4810a