5.2 Compute Resources

~~Access Controls:~~

a. ~~Apply~~ Role-Based Access Control (RBAC):
on
- DTC retains and ~~on-premises~~manages ~~systems.~~credentials for Built-In Administrator, Domain Administrator, and dtcadminaccounts.
- b.DTC creates unique administrator accounts for client-designated decision-makers, granting local or full administrative privileges as specified.
- ~~Set~~Decision-makers ~~default~~are permitted to retain access ~~permissions~~to Domain Administrator credentials.
- Upon termination of services, all compute resource credentials managed by DTC are released to the ~~principle of least privilege.~~client.
c.Server Console and Shell Protections:
- Remote Desktop Protocol (RDP):
  - Configured to accept connections only from:
    - The server itself (localhost).
    - Directly attached non-public networks.
    - Designated management networks, if they exist.
- PowerShell Remoting:
  - Configured to accept connections only from:
    - The server itself (localhost).
    - Directly attached non-public networks.
    - Designated management networks, if they exist.
- Windows Management Instrumentation (WMI): ~~Offer~~Enabled ~~implementation~~to offacilitate ~~Conditional~~system ~~Access~~management ~~Policies~~and asmonitoring.
  a
- ~~service~~
  Windows Firewall: Disabled by default; configurable based on client requirements.
- Server Message Block (SMB) 1.0: Disabled unless explicitly required by specific applications to mitigate security vulnerabilities.
- Secure Shell (SSH): Enabled to provide secure remote access and management.
- Network Tunnel Agent: May be deployed for DTC management purposes or to facilitate client remote network access.
- Administrator Account Credentials Rotation:
  - Credentials for both the built-in Administrator and dtcadmin accounts are automatically rotated under the following conditions:
    - At system boot.
    - Upon user sign-in.
    - On a weekly basis.
  - These credentials are randomized with a minimum length of 16 characters to enhance security.

Data Protections:
- All data protections for local data volumes and directly attached data volumes adhere to the policies outlined in section 5.3 Storage. This ensures consistent application of encryption, media disposal, backup encryption, and immutability standards across all storage mediums.

Technical Controls:

~~Azuredevelopmentframeworks~~

Control ID	Description	Tools/Methods
a	~~Apply~~Retain ~~Role-Based~~and ~~Access~~manage ~~Control~~credentials ~~(RBAC)~~for onBuilt-In ~~systems.~~Administrator, Domain Administrator, and `dtcadmin` accounts.	~~Access~~NinjaRMM, ~~management~~IT ~~platforms; Directory services (e.g., Active Directory)~~Glue
b	~~Set~~Create ~~default~~unique ~~access~~administrator ~~permissions~~accounts tofor ~~least~~client-designated ~~privilege.~~decision-makers with specified administrative privileges.	~~Access~~Active ~~control~~Directory, ~~lists~~Entra ~~(ACLs);~~ID, ~~Regular~~Google ~~access reviews~~Workspace
c	~~Implement~~Permit ~~Conditional~~decision-makers ~~Access~~to ~~Policies~~retain asaccess ~~per~~to Domain Administrator credentials.	Active Directory, IT Glue
d	Release all compute resource credentials managed by DTC to the client upon termination of services.	Microsoft 365 Mail Encryption, IT Glue, 1Password
e	Configure Remote Desktop Protocol (RDP) to accept connections only from the server itself, directly attached non-public networks, and designated management networks.	NinjaRMM, Microsoft Windows Group Policy
f	Configure PowerShell Remoting to accept connections only from the server itself, directly attached non-public networks, and designated management networks.	NinjaRMM, Microsoft Windows Group Policy
g	Enable Windows Management Instrumentation (WMI) for system management and monitoring.	NinjaRMM, Microsoft Windows Group Policy
h	Disable Windows Firewall by default; configurable based on client requirements.	~~Conditional~~NinjaRMM, Microsoft Windows Group Policy
i	Disable SMB 1.0 unless required by specific applications to mitigate security risks.	NinjaRMM, Microsoft Windows Group Policy
j	Enable SSH to facilitate secure remote access ~~solutions~~and ~~(e.g.,~~management.	Microsoft ~~Conditional~~Windows ~~Access);~~OpenSSH Server & Client, NinjaRMM, Microsoft Windows Group Policy
k	Deploy network tunnel agents for DTC management or client remote access as needed.	NinjaRMM, Windows or Linux Server, DTC Probe Appliance, Cloudflared, ZeroTier

~~Standard Operating Procedures~~

~~Control ID~~	~~Description~~	~~Tools/Methods~~
a	~~Provision unique identifiers for all users and devices.~~	~~DTC or Client Procured Identity Management Systems (e.g., Active Directory, Azure AD)~~
b	~~Deactivate user accounts after 1 year of inactivity.~~	~~DTC'S RMM, Microsoft Windows PowerShell, Internet Access~~
c	~~Disable local administrator accounts after 90 days of inactivity.~~	~~DTC'S RMM, Microsoft Windows PowerShell, Internet Access~~
d	~~Deactivate staging accounts (e.g.,~~ `installadmin`~~) after 7 days.~~	~~DTC'S RMM, Microsoft Windows PowerShell, Internet Access~~
e	~~Rotate~~ `dtcadmin` ~~user password at system boot, user login, and weekly.~~	~~DTC'S RMM, Microsoft Windows PowerShell, Internet Access~~
f	~~Rotate built-in Administrator password at system boot, user login, weekly.~~	~~DTC'S RMM, Microsoft Windows PowerShell, Internet Access~~
g	~~Implement Multi-Factor Authentication (MFA) on critical systems.~~	~~Microsoft Entra ID, Google Workspace, Cloudflare ZTNA Email~~
h	~~Adhere to default password policies of identity providers.~~	~~Configuration of identity provider settings; Regular policy reviews~~
i	~~Develop customized password policies with clients.~~	~~Consultation sessions; Policy development frameworks~~
j.	~~Review and analyze audit and event logs in order to respond to security incidents.~~	~~SaaS Alerts, Blumira Free Edition~~