Active Directory Forest Security Technical Implementation Guide
Overview
| Version | Date | Finding Count (7) | Downloads | ||
| 3 | 2025-05-15 | CAT I (High): 3 | CAT II (Medium): 3 | CAT III (Low): 1 | |
| STIG Description |
| This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. |
Findings - All
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-243506 | Update access to the directory schema must be restricted to appropriate accounts. | A failure to control update access to the AD Schema object could result in the creation of invalid directory objects and attributes. Applications that... | |
| V-269098 | Windows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests. | When users are requesting new certificates through AD CS, there must be management approval and awareness for these requests. Without this, a user or ... | |
| V-269099 | Windows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0. | Verify that a site has set aside one or more PAWs for remote management of AD CS.... | |
| V-243502 | Membership to the Schema Admins group must be limited. | The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the... | |
| V-243503 | Anonymous Access to AD forest data above the rootDSE level must be disabled. | For Windows Server 2003 or above, the dsHeuristics option can be configured to override the default restriction on anonymous access to AD data above t... | |
| V-243504 | The Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source. | When the Windows Time service is used to synchronize time on client computers (workstations and servers) throughout an AD forest, the forest root doma... | |
| V-243505 | Changes to the AD schema must be subject to a documented configuration management process. | Poorly planned or implemented changes to the AD schema could cause the applications that rely on AD (such as web and database servers) to operate inco... |