UCF STIG Viewer Logo

Active Directory Domain Security Technical Implementation Guide (STIG)


Date Finding Count (20)
2011-05-12 CAT I (High): 2 CAT II (Med): 13 CAT III (Low): 5
STIG Description
These STIGs provide focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Server 2003 and Windows Server 2008. The settings required by each check will be applied to each Domain Controller running the directory service. The system must also be reviewed using the applicable Windows and AD Service STIG, depending on the Windows version installed on the server. Also, if a forest architecture is implemented, a security review using the Active Directory Forest STIG is required.

Available Profiles

Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-8534 High Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
V-8536 High A controlled interface is required for interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
V-8548 Medium The number of member accounts in privileged groups must not be excessive.
V-8549 Medium Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
V-8524 Medium When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers.
V-8523 Medium If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).
V-8540 Medium Selective Authentication must be enabled on the outgoing forest trust.
V-25840 Medium The Directory Service Restore Mode (DSRM) password must be changed at least annually.
V-8547 Medium The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group.
V-8522 Medium A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
V-8553 Medium Replication must be enabled and configured to occur at least daily.
V-8551 Medium The domain functional level must be Windows 2003 or higher.
V-25385 Medium Directory data must be backed up at the required frequency.
V-8538 Medium Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
V-25997 Medium Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
V-25841 Low Security vulnerability reviews of the domain and/or forest in which the domain controller resides must be conducted at least annually.
V-8530 Low Each cross-directory authentication configuration must be documented.
V-8525 Low AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure.
V-8521 Low User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
V-8526 Low The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.