| V-8534 | High | Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. | If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure access between resources of different classification levels, the... |
| V-8536 | High | A controlled interface is required for interconnections among DoD information systems operating between DoD and non-DoD systems or networks. | The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined... |
| V-8548 | Medium | The number of member accounts in privileged groups must not be excessive. | Membership in the following Windows security groups assigns a high privilege level for AD functions: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming... |
| V-8549 | Medium | Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
| Membership in certain default directory groups assigns a high privilege level for access to the directory. In AD, membership in the following groups enables high privileges relative to AD and the... |
| V-8524 | Medium | When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers. | In AD architecture, multiple domain controllers provide availability through redundancy. If an AD domain or servers within it are designated as MAC I or II and the domain is supported by only a... |
| V-8523 | Medium | If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). | To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not allow that data to be processed through an... |
| V-8540 | Medium | Selective Authentication must be enabled on the outgoing forest trust. | Outbound AD forest trusts can be configured with the Selective Authentication option. Enabling this option significantly strengthens access control by requiring explicit authorization (through the... |
| V-25840 | Medium | The Directory Service Restore Mode (DSRM) password must be changed at least annually. | This is a tremendously powerful password which should be changed periodically. This password is unique to each DC and is used to logon to a DC when rebooting into the server recovery mode. With... |
| V-8547 | Medium | The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group.
| The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions... |
| V-8522 | Medium | A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. | The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentication, and resource authorization services. At a minimum, LDAP or LDAPS... |
| V-8533 | Medium | Access to need-to-know information must be restricted to an authorized community of interest. | Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access control at the domain or forest level in which... |
| V-8553 | Medium | Replication must be enabled and configured to occur at least daily. | Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. In AD implementation using AD Sites, domain... |
| V-8551 | Medium | The domain functional level must be Windows 2003 or higher. | Non-vendor supported versions of AD are not permitted for use in DoD. Domain controllers using Windows NT and Windows 2000 are no longer supported or updated by the vendor. If Windows NT or... |
| V-25385 | Medium | Directory data must be backed up at the required frequency. | Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or malicious corruption. A failure to recover... |
| V-8538 | Medium | Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. | Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to... |
| V-25997 | Medium | Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. | The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the... |
| V-8525 | Low | AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure.
| When an incident occurs that requires multiple AD domain controllers to be rebuilt, it is critical to understand the AD hierarchy and replication flow so that the correct recovery sequence and... |
| V-25841 | Low | Security vulnerability reviews of the domain and/or forest in which the domain controller resides must be conducted at least annually.
| An AD domain controller is impacted by the AD environment created by the security configuration of the domain and forest in which the domain controller resides. A proper review of the AD... |
| V-8530 | Low | Each cross-directory authentication configuration must be documented. | AD external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in other directories). If specific baseline documentation of authorized... |
| V-8521 | Low | User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. | In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user support staff.) This is done to avoid the need... |
| V-8526 | Low | The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented. | When incidents occur that require a change in the INFOCON status, it may be necessary to take action to restrict or disable certain types of access that is based on a directory outside the... |
