Accounts. With the exception of service, administrator accounts built into operating systems, devices, or applications (e.g. Administrator, admin, root), accounts must be named such that they are attributable to an individual user. The use of built-in/default accounts is limited to initial configuration and/or emergency recovery (e.g. lost Administrator or root password).
Multifactor Authentication (MFA). All local and network access will be authenticated using at least two of the authentication methods: password or PIN (something you know), smartcard or token (something you know), biometric (something you are).
Types of Accounts:
User Accounts
Privileged Accounts
Service Accounts. Service Accounts will adhere to the same rules as Privileged Accounts with the following exceptions: MFA not required, expiration extended to 180 days.
Password Rules
Passwords will be:
- 15 characters in length
- Contain a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters
- Passwords or PINs cannot have three consecutive letters of the same type
- PINs used on hand-held devices will contain 6 or more digits
- PINs used across the network on hand-held devices will be 9 or more digits
- 24 passwords are remembered
- Passwords or PINs cannot be changed any more often than 24 hours
- Passwords must be changed every 90 days.
Expiration Warnings. Warning messages will be send 15, 7 and 1 day from account expiration.
Accounts will be disabled (stale) after 30 days and automatically disabled after 45 days.
Extended Absence.
If an individual will be on an extended absence they must notify the Service Desk within 5 days of departure. The account will be suspended by marking it disabled for 90 days or until the individual returns.
Use of Password Vaults.
Active Directory Roles
All Active Directory Roles will be configured in accordance with Microsoft's Best Practices for Securing Active Directory.
Enterprise Admins (.EA). Built-in Active Directory Forest Root Domain Role. Note the Enterprise Admins group is by default a member of the domain Built-in\Administrators group. Appendix E: Security Enterprise Admins Groups in Active Directory.
Schema Admins (.CA). Built-in Active Directory Forest Root Domain Role.
Domain Admins (.DA). Built-in Active Directory Domain Role.
Group Policy Admins (.GA). Custom-defined group for administration of Group Policy Objects (GPO).
OU Admins (.OA). Custom-defined group for administration of an Organizational Unit (OU) within a Domain. Each OU has a "admins" group defined for it named in accordance with the OU name (e.g. OU "Executive Group" OU Admins group is named "Executive Group OU Admins").
System Administrators (.SA). Custom-defined for administrators of Windows servers. Assigned membership in the domain Administrators and Domain Admins group. Note the Domain Admins group is a member of the Built-in\Administrators group. Appendix F: Securing Domain Admins Groups in Active Directory.
Account Operators (.AO). Built-in Active Directory Domain Role.
Server Operators (.SO). Custom-defined group for Windows Server administrators to perform specific privileged tasks.
Backup Operators (.BO). Built-in Active Directory Domain Role.
Auditors (.AU). Custom-defined group for viewing audit events. Member of the Domain Event Log Readers built-in group.
Workstations Admins (.SA). Custom-defined group for administrators of Windows workstations (desktop and laptops).
Service Desk Technician (.SD). Custom-defined group for Tier 1 and 2 Service Desk technicians.
Application Administrators (.AA). Custom-defined group for application administration.
Local Workstation Admins (.LA). Custom-defined group for membership in Workstation built-in\Administrators group.
Best Practices Guide for Security Active Directory Appendix B: Privileged Accounts and Groups in Active Directory describes the rights, privileges, and permissions in Active Directory and the built-in groups. Bolded groups in the list below indicate that users can be provisioned with an account type which is assigned membership in that group (e.g. user.EA is a member of the Built-in\Enterprise Admins group in the Forest Root Domain).
Built-in Groups at the Forest Root Domain Level:
Administrator, Administrators (Enterprise Admins), Enterprise Admins (Administrator), Incoming Forest Trust Builders, Schema Admins.
Built-in Groups at the Domain Level.
Access Control Assistance (Active Directory in Windows Server 2012), Account Operators, Administrator, Administrators (Enterprise Admins, Domain Admins, Administrator), Allowed RODC Password Replication Group, Backup Operators, Cert Publishers, Certificate Service DCOM Access, Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS), Cryptographic Operators, Debugger Users, Denied RODC Password Replication Group, DHCP Administrators, DHCP Users, Distributed COM Users, DnsAdmins, DnsUpdateProxy, Domain Admins (Administrator), Domain Computers, Domain Controllers, Domain Guests, Domain Users, Enterprise Read-only Domain Controllers, Event Log Readers, Group Policy Creator Owners, Guest, Guests, Hyper-V Administrators (Windows Server 2012), IIS_USRS, Krbtgt, Network Configuration Operators, Performance Log Users, Pre-Windows 2000 Compatible Access, Print Operators, RAS and IAS Servers, RDS Endpoint Servers (Windows Server 2012), RDS Management Servers (Windows Server 2012), RDS Remote Access Servers (Windows Server 2012), Read-only Domain Controllers, Remote Desktop Services Users, Remote Management Servers (Windows Server 2012), Replicator, Server Operators, Terminal Server License Servers, Users, Windows Authorization Access Group, WinRMRemoteWMIUsers (Windows Server 2012).
Built-in Groups a the Computer Level.
Administrators (Domain Admins)
Use of the Built-In Administrator accounts in Active Directory is limited to initial build and disaster recovery scenarios. In each domain in Active Directory, an Administrator account is created as part of the creation of the domain. This account is by default a member of the Domain Admins and Administrators groups in the domain, and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group. Appendix D: Securing Built-in Administrator Accounts in Active Directory, Appendix G: Securing Administrators Groups in Active Directory.
Service Accounts. Service accounts will be defined as necessary to grant an application or service the necessary rights, privileges, or rights necessary to function. The following rights will be explicitly denied: Interactive Logon. The following rights will be granted in accordance with the scope the service account is required: Allow Login to, Allow Logon as a service.
ACAS Roles
Appendices: Processes and Procedures
Appendix A: Account Request Form(s)
Appendix B: Account Provisioning Process
Appendix C: Account Termination Process
