UCF STIG Viewer Logo

Active Directory Domain Security Technical Implementation Guide


Overview

Date Finding Count (36)
2023-02-09 CAT I (High): 5 CAT II (Med): 27 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-243466 High Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
V-243467 High Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
V-243470 High Delegation of privileged accounts must be prohibited.
V-243482 High Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
V-243483 High A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
V-243468 Medium Administrators must have separate accounts specifically for managing domain member servers.
V-243469 Medium Administrators must have separate accounts specifically for managing domain workstations.
V-243498 Medium If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).
V-243497 Medium Inter-site replication must be enabled and configured to occur at least daily.
V-243496 Medium Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
V-243495 Medium A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
V-243493 Medium Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
V-243492 Medium Systems must be monitored for remote desktop logons.
V-243491 Medium Systems must be monitored for attempts to use local accounts to log on remotely from other systems.
V-243490 Medium Usage of administrative accounts must be monitored for suspicious and anomalous activity.
V-243471 Medium Local administrator accounts on domain systems must not share the same password.
V-243473 Medium Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
V-243472 Medium Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
V-243475 Medium Domain controllers must be blocked from Internet access.
V-243474 Medium Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.
V-243477 Medium User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
V-243476 Medium All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
V-243479 Medium The Directory Service Restore Mode (DSRM) password must be changed at least annually.
V-243478 Medium Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
V-243489 Medium Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
V-243484 Medium Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
V-243485 Medium Selective Authentication must be enabled on outgoing forest trusts.
V-243486 Medium The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
V-243487 Medium Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
V-243480 Medium The domain functional level must be at a Windows Server version still supported by Microsoft.
V-243481 Medium Access to need-to-know information must be restricted to an authorized community of interest.
V-243500 Medium Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.
V-243499 Low Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.
V-243494 Low Each cross-directory authentication configuration must be documented.
V-243488 Low User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
V-243501 Low The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.