STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.

DISA Rule

SV-9045r3_rule

Vulnerability Number

V-8548

Group Title

AD.0240

Rule Version

AD.0240

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Document membership of the Group Policy Creator Owners and Incoming Forest Trust Builders groups. Remove any accounts that do not require the privileges these groups assign.

Check Contents

Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc").

Review the membership of the "Incoming Forest Trust Builders" group.

Navigate to the "Built-in" container.

Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab.

If any accounts are not documented as necessary with the ISSO, this is a finding.

Review the membership of the "Group Policy Creator Owner" group.

Navigate to the "Users" container.

Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab.

If any accounts are not documented as necessary with the ISSO, this is a finding.

It is possible to move some system-defined groups from their default locations. If a group is not in the location noted, review other containers to locate.

Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments