UCF STIG Viewer Logo

Active Directory Domain Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (27)
2013-03-12 CAT I (High): 5 CAT II (Med): 17 CAT III (Low): 5
STIG Description
This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Server 2003, Windows Server 2008 and Windows Server 2008R2. These requirements apply to the domain and can typically be reviewed once per AD domain. The separate Active Directory Forest STIG contains forest level requirements. Systems must also be reviewed using the applicable Windows STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critial Public)

Finding ID Severity Title
V-8534 High Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
V-8536 High A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
V-36435 High Delegation of privileged accounts must be prohibited.
V-36432 High Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
V-36431 High Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
V-8538 Medium Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
V-8553 Medium Replication must be enabled and configured to occur at least daily.
V-8551 Medium The domain functional level must be Windows 2003 or higher.
V-25385 Medium Directory data must be backed up at the required frequency.
V-36438 Medium Local administrator accounts on domain systems must not share the same password.
V-36436 Medium Only systems dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.
V-36437 Medium Dedicated systems used for managing Active Directory remotely must be blocked from Internet Access.
V-36434 Medium Administrators must have separate accounts specifically for managing domain workstations.
V-36433 Medium Administrators must have separate accounts specifically for managing domain member servers.
V-25840 Medium The Directory Service Restore Mode (DSRM) password must be changed at least annually.
V-8522 Medium A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
V-8523 Medium If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).
V-8524 Medium When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers.
V-8548 Medium The number of member accounts in privileged groups must not be excessive.
V-8549 Medium Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
V-8547 Medium The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group.
V-25997 Medium Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
V-8530 Low Each cross-directory authentication configuration must be documented.
V-25841 Low Security vulnerability reviews of the domain and/or forest in which the domain controller resides must be conducted at least annually.
V-8521 Low User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
V-8526 Low The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.
V-8525 Low AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure.