STIGQter STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.

DISA Rule

SV-47837r2_rule

Vulnerability Number

V-36431

Group Title

Enterprise Admins Group Members

Rule Version

AD.0001

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Create the necessary documentation that identifies the members of the Enterprise Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory Forest. Remove any Enterprise Admin accounts from other administrator groups.

Check Contents

Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest.

If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.

Vulnerability Number

V-36431

Documentable

False

Rule Version

AD.0001

Severity Override Guidance

Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest.

If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.

Check Content Reference

M

Target Key

870

Comments