Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-243489	AD.0270	SV-243489r723564_rule		Medium

Description
The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the interal domain controller or forest can be compromised. RODC is considered part of the site's Forest or Domain installation since it is not a standalone product, but rather a role of the the Windows AD DS full installation or Server Core installation. It is possible to have Windows 2003 clients authenticated using RODC, however, compatibility packs are needed. Note that RODC is not authorized for use across the site's perimeter firewall.

Description

The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the interal domain controller or forest can be compromised. RODC is considered part of the site's Forest or Domain installation since it is not a standalone product, but rather a role of the the Windows AD DS full installation or Server Core installation. It is possible to have Windows 2003 clients authenticated using RODC, however, compatibility packs are needed. Note that RODC is not authorized for use across the site's perimeter firewall.

STIG	Date
Active Directory Domain Security Technical Implementation Guide	2024-02-26

Details

Check Text ( C-46764r723500_chk )
1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec. 2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs). 3. Include an inspection of the RODC server in the DMZ when inspection for least privilege. 4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients. 5. If RODC server and configuration does not comply with requirements, then this is a finding.

Check Text ( C-46764r723500_chk )

1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec.

2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs).

3. Include an inspection of the RODC server in the DMZ when inspection for least privilege.

4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients.

5. If RODC server and configuration does not comply with requirements, then this is a finding.

Fix Text (F-46721r723501_fix)
1. Ensure compliance with VPN and IPSec requirements in the Network Insfrastucture STIG. 2. Ensure IPSec and other communications and security configurations for the management and replication of the RODC uses the minimum required Group Policy Objects (GPOs) to provide the required functionality. 3. Replicate only the information needed to provide the functionality required. If full replication of all directory data is not needed, then replicated selective ID and authentication information as needed to the RODC. 4. Include an inspection of the RODC server in the DMZ when inspection for least privilege.

Fix Text (F-46721r723501_fix)

1. Ensure compliance with VPN and IPSec requirements in the Network Insfrastucture STIG.

2. Ensure IPSec and other communications and security configurations for the management and replication of the RODC uses the minimum required Group Policy Objects (GPOs) to provide the required functionality.

3. Replicate only the information needed to provide the functionality required. If full replication of all directory data is not needed, then replicated selective ID and authentication information as needed to the RODC.

4. Include an inspection of the RODC server in the DMZ when inspection for least privilege.