Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8553 | DS00.3230_AD | SV-30992r1_rule | ECAN-1 ECCD-1 ECCD-2 | Medium |
Description |
---|
Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. In AD implementation using AD Sites, domain controllers defined to be in different AD Sites require Site links to specify properties for replication scheduling. If AD Site link schedule and replication interval properties are configured improperly, AD data replication may not occur frequently enough and updates to identification, authentication, or authorization data may not be current on all domain controllers. If this data is not current, access to resources may be incorrectly granted or denied. Further policy details: An AD instance may have no AD site links defined. The following are ways in which site link properties would prevent daily AD replication: 1. Setting the “Replicate every” value to a number greater than 1440 (the number of minutes in one day). 2. Setting the Schedule value for all hours in a day to “Replication Not Available”. |
STIG | Date |
---|---|
Active Directory Domain Security Technical Implementation Guide (STIG) | 2014-04-01 |
Check Text ( C-14113r1_chk ) |
---|
1. Start the Active Directory Sites and Services console (Start, Run, “dssite.msc”). 2. Select and expand the Sites item in the left pane. 3. Select and expand the Inter-Site Transports item and the IP item in the left pane. 4. For each site link that is defined perform the following: a. Right-click the site link item and select the Properties item. b. Note the interval indicated in the “Replicate every” field. c. Click the Change Schedule button. d. Using the values indicated for “Replication Available”, determine if the replication interval would allow daily replication to occur. e. Click the Cancel button for the Schedule window. f. Click the Cancel button for the Properties window. g. If the replication interval and replication available properties do not allow daily replication, then this is a finding. |
Fix Text (F-15020r1_fix) |
---|
Enable daily replication (at a minimum) for the directory service. |