SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.
Store passwords encrypted and log all administrator access to password files; for ActiveDirectory, use whole disk encryption on domain controllers that are not in a secure location.