Vulnerability V-243479

Verify the DSRM password for each DC is changed at least annually. If logs are retained locally for a sufficient amount of time to capture the log event, the following command will indicate the password reset: PS C:\> Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4794} | Format-Table -Property TimeCreated, Message TimeCreated Message ----------- ------- 10/29/2025 4:47:12 PM An attempt was made to set the Directory Services Restore Mode... If logs are not available, review the site processes around DSRM password reset to determine compliance. If DSRM passwords are not changed for each DC in the domain at least annually, this is a finding.

Change the DSRM passwords on each DC at least annually with the following commands: C:\> ntdsutil C:\Windows\system32\ntdsutil.exe: Set DSRM Password Reset DSRM Administrator Password: Reset Password on server <servername> Follow prompts to reset the password.