Active Directory Forest Security Technical Implementation Guide (STIG)

Overview

Version	Date	Finding Count (4)			Downloads
2	2011-05-12 2013-03-12 2013-03-12 2013-03-12 2014-01-07 2014-01-07 2014-01-07 2014-12-18 2014-12-18 2014-12-18 2014-12-18 2016-02-19 2016-02-19 2016-12-19 2016-12-19 2016-12-19 2016-12-19 2016-12-19 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30 2018-05-30	CAT I (High): 1	CAT II (Med): 2	CAT III (Low): 1	Excel	JSON	XML

STIG Description
This STIG is applicable for all Windows servers if a forest architecture is implemented for the Active Directory (AD). The settings required by each check will be applied to each Forest as a whole. This STIG does not apply if a forest is not implemented. The system must also be hardened using the Windows 2003 (or 2003 R2) or Windows 2008 (or 2008 R2) STIG. The system must also be reviewed using the applicable Windows and AD Service STIG, depending on the Windows version installed on the server.

STIG Description

This STIG is applicable for all Windows servers if a forest architecture is implemented for the Active Directory (AD). The settings required by each check will be applied to each Forest as a whole. This STIG does not apply if a forest is not implemented. The system must also be hardened using the Windows 2003 (or 2003 R2) or Windows 2008 (or 2008 R2) STIG. The system must also be reviewed using the applicable Windows and AD Service STIG, depending on the Windows version installed on the server.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-15372	High	Update access to the directory schema must be restricted to appropriate accounts.	A failure to control update access to the AD Schema object could result in the creation of invalid directory objects and attributes. Applications that rely on AD could fail as a result of invalid...
V-8557	Medium	The Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source.	When the Windows Time service is used to synchronize time on client computers (workstations and servers) throughout an AD forest, the forest root domain PDC Emulator is the normal default to...
V-8555	Medium	Anonymous Access to AD forest data above the rootDSE level must be disabled.	For Windows Server 2003 or above, the dsHeuristics option can be configured to override the default restriction on anonymous access to AD data above the rootDSE level. Anonymous access to AD data...
V-8527	Low	Changes to the AD schema must be subject to a documented configuration management process.	Poorly planned or implemented changes to the AD schema could cause the applications that rely on AD (such as web and database servers) to operate incorrectly or not all. Improper changes to the...