Detections
Analytics
WPAW-00-000400 - Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Note: The Microsoft Tier 0-2 AD administrative tier model (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM) is an example.A key security construct of a PAW is to separate administrative accounts into specific trust levels so that an administrator account used to manage an IT resource at one trust level cannot be used to manage IT resources at another trust level. This architecture protects IT resources in a tier from threats from higher-risk tiers. Isolating administrative accounts by forcing them to operate only within their assigned trust zone implements the concept of containment of security risks and adversaries within a specific zone. The Tier model prevents escalation of privilege by restricting what administrators can control and where they can log on.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Set up an administrative tier model for the domain (for example, the Microsoft recommended Tier 0-2 AD administrative tier model).Note: Details of the Tier model are found at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ADATM_BM.
Set up an Admin Organizational Unit (OU) Framework to host site PAWs. (Recommend the Microsoft PAW scripts be used to set up the PAW OU and group framework. They can be downloaded at http://aka.ms/PAWmedia.)
For example:
- Admin\Tier 0\Accounts
- Admin\Tier 1\Accounts
- Admin\Tier 2\Accounts
- Admin\Tier 0\Groups
- Admin\Tier 1\Groups
- Admin\Tier 2\Groups
- Admin\Tier 0\Devices
- Admin\Tier 1\Devices
- Admin\Tier 2\Devices
Note: If using the Microsoft scripts, after running the scripts, PAW Users Tier 0, PAW Users Tier 1, and PAW Users Tier 2 groups may need to be created under Admin/Tier 0/Groups, Admin/Tier 1/Groups, and Admin/Tier 2/Groups, respectively.
Set up administrative accounts for each assigned administrator for high-value IT resources.
Based on the list of high-value IT resources with assigned administrative tier level, move Tier 0-2 administrative accounts to the appropriate Organizational Units and add the appropriate members to the relevant groups. Make sure each account and group has been assigned to one and only one tier.
(Reference-defined groups in the Active Directory Domain STIG)
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_PAW_V2R3_STIG.zip
Item Details
References: CAT|II, CCI|CCI-000366, CCI|CCI-002227, Rule-ID|SV-243444r852041_rule, STIG-ID|WPAW-00-000400, STIG-Legacy|SV-92851, STIG-Legacy|V-78145, Vuln-ID|V-243444
Plugin: Windows
Control ID: 65b52e0de449350e8f6e8b7efe20b1424da509ebde9018f7010f0db6b3afdeed