UCF STIG Viewer Logo

Active Directory Domain Security Technical Implementation Guide (STIG)


Date Finding Count (36)
2019-03-21 CAT I (High): 5 CAT II (Med): 27 CAT III (Low): 4
STIG Description
This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Servers operating systems. These requirements apply to the domain and can typically be reviewed once per AD domain. The separate Active Directory Forest STIG contains forest level requirements. Systems must also be reviewed using the applicable Windows STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-8534 High Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
V-8536 High A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
V-36435 High Delegation of privileged accounts must be prohibited.
V-36432 High Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
V-36431 High Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
V-8538 Medium Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
V-78131 Medium User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
V-43714 Medium Systems must be monitored for remote desktop logons.
V-43713 Medium Systems must be monitored for attempts to use local accounts to log on remotely from other systems.
V-8533 Medium Access to need-to-know information must be restricted to an authorized community of interest.
V-8553 Medium Inter-site replication must be enabled and configured to occur at least daily.
V-8551 Medium The domain functional level must be at a Windows Server version still supported by Microsoft.
V-43652 Medium Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
V-25385 Medium Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
V-53727 Medium Domain controllers must be blocked from Internet access.
V-36438 Medium Local administrator accounts on domain systems must not share the same password.
V-36434 Medium Administrators must have separate accounts specifically for managing domain workstations.
V-36433 Medium Administrators must have separate accounts specifically for managing domain member servers.
V-92285 Medium Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
V-25840 Medium The Directory Service Restore Mode (DSRM) password must be changed at least annually.
V-8522 Medium A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
V-8523 Medium If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).
V-43648 Medium Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
V-8524 Medium Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.
V-8548 Medium Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
V-8549 Medium Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
V-43712 Medium Usage of administrative accounts must be monitored for suspicious and anomalous activity.
V-8540 Medium Selective Authentication must be enabled on outgoing forest trusts.
V-8547 Medium The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
V-44059 Medium Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.
V-72821 Medium All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
V-25997 Medium Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
V-8530 Low Each cross-directory authentication configuration must be documented.
V-8521 Low User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
V-8526 Low The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.
V-8525 Low Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.