CSCv7|4.6

Title

Use of Dedicated Machines For All Administrative Tasks

Description

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet.

Reference Item Details

Category: Controlled Use of Administrative Privileges

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4.2 If SNMPv2 is in use, set Restrictions on Access - ACLCiscoCIS Cisco NX-OS L1 v1.0.0
1.4.2 If SNMPv2 is in use, set Restrictions on Access - snmp-serverCiscoCIS Cisco NX-OS L1 v1.0.0
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.10 Ensure 'Back up files and directories' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.10 Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.11 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.11 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.11 Ensure 'Create a token object' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.12 Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.12 Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.12 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.13 Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.13 Ensure 'Create a pagefile' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.14 (L1) Configure 'Create symbolic links'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.14 Configure 'Create symbolic links'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.15 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.15 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.15 Ensure 'Debug programs' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.17 Ensure 'Create symbolic links' is set to 'Administrators' (DC only)WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.21 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.22 Ensure 'Force shutdown from a remote system' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.24 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' - Window Manager\Window Manager Group'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.25 Ensure 'Increase scheduling priority' is set to 'Administrators' - AdministratorsWindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.25 Ensure 'Increase scheduling priority' is set to 'Administrators' - Window Manager\Window Manager Group'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.26 Ensure 'Load and unload device drivers' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.30 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.30 Ensure 'Manage auditing and security log' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.31 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.32 Ensure 'Load and unload device drivers' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.2.32 Ensure 'Load and unload device drivers' is set to 'Administrators'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.2.32 Ensure 'Modify firmware environment values' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.1 Ensure 'Allow user control over installs' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.85.2 Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
19.7.41.1 Ensure 'Always install with elevated privileges' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1