STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020: STIGQter: STIG Summary: Windows PAW Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 15 May 2020:SV-92873r1_rule
V-78167
PAW-00-001200
WPAW-00-001200
CAT II
10
Configure domain systems to prevent higher-tier administrative accounts from logging on to lower-tier hosts.
Assign higher-tier administrative groups to the Deny log on user rights of lower-tier hosts. This includes the following user rights:
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.
Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts.
This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights:
Deny log on as a batch job
Deny log on as a service
Deny log on locally
If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding.
Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.
Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.
V-78167
False
WPAW-00-001200
Verify domain systems are configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts.
This can be accomplished by adding the higher-tier administrative groups to the Deny log on user rights of the lower-tier system. These include the following user rights:
Deny log on as a batch job
Deny log on as a service
Deny log on locally
If domain systems are not configured to prevent higher-tier administrative accounts from logging on to lower-tier hosts, this is a finding.
Domain and Enterprise Admins are currently required to be included in the appropriate deny user rights in the Windows STIGs for member servers and workstations.
Note: Severity category exception - Upgrade to a CAT I finding if any Tier 0 administrative account used to manage high-value IT resources is able to log on to a lower-tier host.
M
3283