V-269099
SV-269099r1026184_rule
CAT I
Windows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.
From: Active Directory Forest Security Technical Implementation Guide (V3R2)
Description
<VulnDiscussion>Verify that a site has set aside one or more PAWs for remote management of AD CS. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Verify that a site has set aside one or more PAWs for remote management of AD CS.
A dedicated AD CS/CA Admin account that is only usable on tier 0 PAW or the ADCS server must be used to manage the certificate authority and approve requests.
Review any available site documentation.
Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to only one tier.
If the site has not set aside one or more PAWs for remote management of AD CS, this is a finding.
Fix Text
Configure and set aside one or more PAWs for configuration and management of AD CS.
For AD, multiple configuration items could enable anonymous access.
Set aside one or more PAWs for remote management of high-value IT resources assigned to a specific tier. For example, using the Microsoft Tier 0-2 model, each PAW would be assigned to manage Tier 0, Tier 1, or Tier 2 high-value IT resources.
CCI Reference
CCI-000366- Created
- 2026-01-14 17:55:45
- Last Updated
- 2026-04-07 20:08:09