This article guides professionals on how to change the password for the Directory Service Restore Mode (DSRM) password for an Active Directory Domain
Implementing this control should be considered at a minimum as medium importance.
PS. G5 Cyber Security can scan your entire network for security vulnerabilities, guide you to resolve them, and more. Please contact us here to get started.
How to implement this security control
Change the DSRM password at least annually.
How to verify this security control is implemented
Confirm that the organisation has a process that addresses DSRM password change frequency.
Depending on the nature of the organisation consider changing the DSRM passwords at least annually.
Why you should implement this security control
The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someone with local access to the DC can reboot the server and copy or modify the Active Directory database without leaving any trace of the activity.
Failure to change the DSRM password periodically could allow a compromise of the Active Directory. It could also allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery.