UCF STIG Viewer Logo

Active Directory Domain Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (42)
2014-12-18 CAT I (High): 5 CAT II (Med): 32 CAT III (Low): 5
STIG Description
This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Servers operating systems. These requirements apply to the domain and can typically be reviewed once per AD domain. The separate Active Directory Forest STIG contains forest level requirements. Systems must also be reviewed using the applicable Windows STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-8534 High Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
V-8536 High A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
V-36435 High Delegation of privileged accounts must be prohibited.
V-36432 High Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
V-36431 High Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
V-8538 Medium Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
V-43714 Medium Systems must be monitored for remote desktop logons.
V-43713 Medium Systems must be monitored for attempts to use local accounts to log on remotely from other systems.
V-8533 Medium Access to need-to-know information must be restricted to an authorized community of interest.
V-43710 Medium Systems used to manage Active Directory (AD admin platforms) must be Windows 7, Windows Server 2008 R2, or later versions of Windows.
V-8553 Medium Replication must be enabled and configured to occur at least daily.
V-8551 Medium The domain functional level must be at a Windows Server version still supported by Microsoft.
V-43652 Medium Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
V-25385 Medium Directory data must be backed up at the required frequency.
V-43650 Medium Administrative accounts for critical servers, that require smart cards, must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.
V-43651 Medium Other important accounts (VIPS and other administrators) that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.
V-53727 Medium Domain controllers must be blocked from Internet access.
V-36438 Medium Local administrator accounts on domain systems must not share the same password.
V-36436 Medium Only systems dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely.
V-36437 Medium Dedicated systems used for managing Active Directory remotely must be blocked from Internet Access.
V-36434 Medium Administrators must have separate accounts specifically for managing domain workstations.
V-36433 Medium Administrators must have separate accounts specifically for managing domain member servers.
V-25840 Medium The Directory Service Restore Mode (DSRM) password must be changed at least annually.
V-8522 Medium A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
V-8523 Medium If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).
V-43648 Medium Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
V-8524 Medium When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers.
V-8548 Medium The number of member accounts in privileged groups must not be excessive.
V-8549 Medium Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
V-43712 Medium Usage of administrative accounts must be monitored for suspicious and anomalous activity.
V-8540 Medium Selective Authentication must be enabled on the outgoing forest trust.
V-44058 Medium Communications from AD admin platforms must be blocked, except with the domain controllers being managed.
V-43711 Medium Separate domain administrative accounts must be used to manage AD admin platforms from any domain accounts used on, or used to manage, non-AD admin platforms.
V-8547 Medium The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group.
V-44059 Medium Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.
V-43649 Medium Enterprise Admin (EA) and Domain Admin (DA) accounts that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days.
V-25997 Medium Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
V-8530 Low Each cross-directory authentication configuration must be documented.
V-25841 Low Security vulnerability reviews of the domain and/or forest in which the domain controller resides must be conducted at least annually.
V-8521 Low User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
V-8526 Low The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.
V-8525 Low AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure.