Selective Authentication must be enabled on the outgoing forest trust.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-8540 | AD.0200 | SV-9037r1_rule | ECAN-1 ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Outbound AD forest trusts can be configured with the Selective Authentication option. Enabling this option significantly strengthens access control by requiring explicit authorization (through the Allowed to Authenticate permission) on resources in the trusting forest. When Selective Authentication is not enabled, less secure resource access permissions (such as those that specify Authenticated Users) might permit unauthorized access. Further Policy Details: Selective Authentication can be configured with the Domains and Trusts console (domain.msc). It may be necessary to configure the Allowed to Authenticate permission on resources in the trusting domain. |
| STIG | Date |
|---|---|
| Active Directory Domain Security Technical Implementation Guide (STIG) | 2013-03-12 |
Details
| Check Text ( C-7702r1_chk ) |
|---|
| 1. Start the Active Directory Domains and Trusts console (Start, Run, “domain.msc”). 2. Select the left pane item that matches the name of the domain being reviewed and perform the following: a. Right-click the domain name and select the Properties item. b. On the domain object Properties window, select the Trusts tab. c. For each outgoing forest trust, right-click the trust item and select the Properties item. d. On the trust Properties window, select the Authentication tab. Determine if the Selective Authentication option is selected. 3. If the Selective Authentication option is not selected on every outgoing forest trust, then this is a finding. |
| Fix Text (F-8066r1_fix) |
|---|
| Enable Selective Authentication on the outgoing forest trust. |