| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-243490 | CAT II | MONT-DC-003 | Active Directory Domain Security Technic... | Usage of administrative accounts must be monitored... | - | |||
Check TextVerify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding. Account Lockouts (Subcategory: User Account Management) 4740 - A user account is locked out. User Added to Privileged Group (Subcategory: Security Group Management) 4728 - A member was added to a security-enabled global group. 4732 - A member was added to a security-enabled local group. 4756 - A member was added to a security-enabled universal group. Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. Account Login with Explicit Credentials (Subcategory: Logon) 4648 - A logon was attempted using explicit credentials. Fix TextMonitor account usage events for administrative accounts. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below, at minimum. Account Lockouts (Subcategory: User Account Management) 4740 - A user account is locked out. User Added to Privileged Group (Subcategory: Security Group Management) 4728 - A member was added to a security-enabled global group. 4732 - A member was added to a security-enabled local group. 4756 - A member was added to a security-enabled universal group. Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. Account Login with Explicit Credentials (Subcategory: Logon) 4648 - A logon was attempted using explicit credentials. The "Account Usage" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides additional information. https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 47E7E00721432249DBC12DBEBACC7D51EB9D1FDE ~~~~~ Category: Logon Audit On: Success and Failure Category: User Account Management Audit On: Success and Failure Category: Account Lockout Audit On: Success and Failure Category: Security Group Management Audit On: Success Queries of Events ===================== No event was found for EventID: 4740 No event was found for EventID: 4728 No event was found for EventID: 4732 No event was found for EventID: 4756 Event ID: 4624 Message: An account was successfully logged on. Level: Information Container Log: security Time Created: 10/23/2025 17:18:23 Event ID: 4625 Message: The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. Level: Information Container Log: application Time Created: 10/23/2025 17:00:12 Event ID: 4648 Message: A logon was attempted using explicit credentials. Level: Information Container Log: security Time Created: 10/23/2025 17:14:12
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||