STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 23 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Microsoft Windows Server 2025 Security Technical Implementation Guide

V-277987

CAT I (High)

Windows Server 2025 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.

Rule ID

SV-277987r1212169_rule

STIG

Microsoft Windows Server 2025 Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366CCI-001312

Discussion

Accounts with administrative privileges using applications that access the internet, or have potential internet sources, expose a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. Since administrative accounts could change or work around technical restrictions for running a web browser or other applications, it is essential that a policy prohibits administrative accounts accessing the internet or use public-facing applications such as email. The policy must define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. Technical methods (such as allow listing) must be used to enforce the policy, except as approved by the AO. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000205-GPOS-00083

Check Content

Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the internet or other public-facing networks. These applications include web browsers or applications with potential internet sources, such as email, except as necessary for local service administration.

The policy must define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices.

Determine whether the organization uses technical means, such as allow listing via AppLocker or Software Restriction Policies (SRPs), to prevent administrative accounts' use of browsers and email applications. 

Note: Allow list tools facilitate defining rules that explicitly permit approved applications to run while blocking all others by default.

Administrative accounts that do not have technical restrictions to applications that access public-facing networks must be documented and approved by the information system security officer (ISSO) or authorizing official (AO).

If administrative access to applications that access public-facing networks is not blocked by technical means (except as approved by the AO), this is a finding.

Fix Text

Establish a policy, at minimum, to prohibit administrative accounts from using applications that access public-facing networks or the internet, such as web browsers, or applications with potential internet sources, such as email. 

Ensure the policy is enforced by technical means, such as allow listing via AppLocker or Software Restriction Policies (SRPs).

Document any exceptions to technical enforcement with the information system security officer (ISSO).