{
"stig": {
"date": "2011-05-20",
"description": "This STIG is applicable to all Windows 2003 servers with the Windows Active Directory (AD). The settings required by each check will be applied to each Domain Controller running the AD directory service. The system must also be reviewed using the Windows 2003 (or 2003 R2) and the Active Directory Domain STIGs. Also, if a forest architecture is implemented, a security review using the Active Directory Forest STIG is required.",
"findings": {
"V-12780": {
"checkid": "C-7745r3_chk",
"checktext": "1. Start the Security Configuration and Analysis tool.\n\n2. Select and expand the \u201cSecurity Configuration and Analysis\u201d item in the left pane.\n\n3. Select and expand the \u201cLocal Policies\u201d item in the left pane.\n\n4. Select the \u201cUser Rights Assignment\u201d item in the left pane.\n\n5. Scroll down to the \u201cSynchronize Directory Service Data Right\u201d item in the right pane.\n\n6. Note the values indicated in the Computer Setting column.\n\n7. If any accounts (including groups) are assigned the Synchronize Directory Service Data Right, then this is a finding.\n",
"description": "A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale.",
"fixid": "F-12301r3_fix",
"fixtext": "If any accounts (including groups) are assigned the Synchronize Directory Service Data Right, then remove this right from the account.",
"iacontrols": [
"ECAN-1",
"ECCD-1",
"ECCD-2",
"ECLP-1"
],
"id": "V-12780",
"ruleID": "SV-13345r3_rule",
"severity": "high",
"title": "The Synchronize Directory Service Data user right must not be assigned to any account.",
"version": "DS00.0210_AD"
},
"V-14783": {
"checkid": "C-14086r2_chk",
"checktext": "1. Interview the Application SA.\n\n2. With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.\n\n3. Determine the classification level of the Windows domain controller.\n\n4. If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.\n\n5. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, then this is a finding.",
"description": "Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network or when SAMI data is included. ",
"fixid": "F-15001r2_fix",
"fixtext": "Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfers replication data through a network cleared to a lower level than the data.",
"iacontrols": [
"ECCT-2",
"ECNK-2"
],
"id": "V-14783",
"ruleID": "SV-16169r2_rule",
"severity": "medium",
"title": "Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.",
"version": "DS00.3281_AD"
},
"V-14789": {
"checkid": "C-14084r2_chk",
"checktext": "1. Interview the application SA or site representative. Ask if the site uses locally written applications that are running on the domain controllers.\n\n2. If the site indicates AD directory maintenance does not use non-vendor code, then this check is not applicable.\n\n3. If AD directory maintenance does use non-vendor code, obtain a copy of the security review results or other documentation which indicates that the review was completed. A self-assessment using the Application STIG is acceptable.\n\n4. If the non-vendor code has not been reviewed using the Application STIG since it was created or modified, then this is a finding.",
"description": "Unlike vendor programs that might be recovered by purchasing and\\or downloading a replacement copy, the lack of a backup for locally written (non-vendor) code could result in the inability to recover from inadvertent or malicious deletion or simple hardware failure. ",
"fixid": "F-14999r2_fix",
"fixtext": "Perform a security review using the Application STIG.",
"iacontrols": [
"COSW-1"
],
"id": "V-14789",
"ruleID": "SV-16167r2_rule",
"severity": "medium",
"title": "Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG. \n",
"version": "DS00.6110_AD"
},
"V-14797": {
"checkid": "C-14089r2_chk",
"checktext": "At this time, mark this check as a finding for all Windows domain controllers for sensitive or classified levels because Microsoft's AD or AD DS does not provide a method to restrict anonymous access to the root DSE on domain controllers.\n\n1. With the assistance of the application SA, execute an LDAP browser utility that allows an account to be specified to access the directory.\n\n2. Some client technologies may use default credentials if none are specified. The correct method must be used to ensure anonymous access is actually invoked.\n\n3. On Windows systems, the \u201cldp.exe\u201d utility from the Windows Support Tools can be used. See the directions for \u201cldp.exe\u201d below.\n\n4. Using the LDAP browser and specifying anonymous access (through the technology or tool-specific method), search the directory for the root DSE by specifying a null search base and a search scope of \u201cbase\u201d. \n\n5. If the LDAP browser displays information from the root DSE under anonymous access, then this is a finding.\n\nSupplemental Notes:\n\n- To use the \u201cldp.exe\u201d utility to attempt an anonymous query of the root DSE:\n-- From the Connection menu item, select Connect.\n-- On the Connect dialog, enter the Server name and the correct port (usually 389 or 636), and select OK.\n-- From the Connection menu item, select Bind.\n-- Clear the User, Password, and Domain fields, the Domain checkbox, and select OK.\n-- Ensure that \u201cldap_simple_bind\u201d and \u201cAuthenticated as dn:\u2019Null\u2019\u201d is displayed.\n-- From the Browse menu item, select Search.\n-- On the Search dialog, select Options.\n-- On the Search Options dialog, clear the Attributes field and select OK.\n-- On the Search dialog, clear the Base DN field; select the Base checkbox; set Filter to \u201c(objectclass=*)\u201d; and select Run.\n-- Ensure that \u201cGetting 1 entries:\u201d is displayed.\n-- If root DSE attributes (such as namingContexts) are displayed, anonymous access to the root DSE is enabled.",
"description": "Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.\n",
"fixid": "F-15004r2_fix",
"fixtext": "Disable anonymous access to the root DSE of a non-public directory.\n",
"iacontrols": [
"ECAN-1",
"ECCD-1",
"ECCD-2"
],
"id": "V-14797",
"ruleID": "SV-16172r3_rule",
"severity": "low",
"title": "Anonymous access to the root DSE of a non-public directory must be disabled.",
"version": "DS00.3131_AD"
},
"V-14798": {
"checkid": "C-14090r4_chk",
"checktext": "1. With the assistance of the SA, execute an LDAP browser utility that allows an account to be specified to access the directory.\n\n2. Some technologies may use default (logon) credentials if none are specified. The correct method must be used to ensure anonymous access is actually invoked.\n\n3. On Windows systems, the \u201cldp.exe\u201d utility from the Windows Support Tools or from the DISA IASE website) can be used. See the directions for \u201cldp.exe\u201d below.\n\n4. Using the LDAP browser and specifying anonymous access (through the tool-specific method), search the directory for the AD domain naming context. \n\n5. The AD domain naming context is documented in the value of the defaultNamingContext attribute in the root DSE. Generally, this value is something like \u201cdc=disaost,dc=mil\u201d.\n\n6. If the LDAP browser displays the AD domain naming context under anonymous access, then this is a finding.\n\nSupplemental Notes:\n\n- To use the \u201cldp.exe\u201d utility to attempt an anonymous query of the root DSE:\n- From the Connection menu item, select Connect.\n- On the Connect dialog, enter the Server name and the correct port (usually 389 or 636), and select OK.\n- From the Connection menu item, select Bind.\n- Clear the User, Password, and Domain fields, the Domain checkbox, and select OK.\n- Ensure that \u201cldap_simple_bind\u201d and \u201cAuthenticated as dn:\u2019Null\u2019\u201d is displayed.\n- From the Browse menu item, select Search.\n- On the Search dialog, select Options.\n- On the Search Options dialog, clear the Attributes field and select OK.\n- On the Search dialog, enter the DN of the domain naming context (generally something like \u201cdc=disaost,dc=mil\u201d) in the Base DN field and select Run.\n- Ensure that \u201cGetting n entries:\u201d is displayed.\n- If attribute data is displayed, anonymous access is enabled to the domain naming context.\n\nFor AD, there are multiple configuration items that could enable anonymous access.\n1. For all Windows server OSs, changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the Check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).\n\n2. The dsHeuristics option is used. This is addressed in check V-8555 (DS.0230_AD) in the AD Forest STIG.",
"description": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.\n",
"fixid": "F-15005r2_fix",
"fixtext": "Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. ",
"iacontrols": [
"ECAN-1",
"ECCD-1",
"ECCD-2"
],
"id": "V-14798",
"ruleID": "SV-16173r3_rule",
"severity": "high",
"title": "Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. ",
"version": "DS00.3130_AD"
},
"V-14820": {
"checkid": "C-34273r1_chk",
"checktext": "Server Certificate Procedures:\n\n1. With the assistance of the application SA, display the PKI certificate(s) being used by the domain controller itself.\na. Start a Certificates management console for the local computer. If one does not exist, use the notes below to create one.\n\n2. Select and expand the Certificates (Local Computer) entry in the left pane.\n\n3. Select and expand the Personal entry in the left pane.\n\n4. Select the Certificates entry in the left pane.\n\n5. Examine the \u201cIssued By\u201d field for the certificate to determine the issuing CA.\n\n6. If the Issued By field of the PKI certificate being used by the domain controller does not indicate that the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding.\n\nSupplemental Notes:\n\nThere are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: \n-- The Global Directory Service (GDS) web site provides an online source. The address for this site is https://crl.gds.disa.mil.\n-- DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers. The utility package can be downloaded from https://powhatan.iiie.disa.mil/pki-pke/landing_pages/admins.html and it includes a list of authorized CAs.",
"description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.",
"fixid": "F-15006r2_fix",
"fixtext": "Use PKI certificates that are issued by the DoD PKI or an approved External Certificate Authority (ECA). ",
"iacontrols": [
"IAKM-1",
"IAKM-2",
"IATS-1",
"IATS-2"
],
"id": "V-14820",
"ruleID": "SV-16174r2_rule",
"severity": "high",
"title": "PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). ",
"version": "DS00.2140_AD"
},
"V-14831": {
"checkid": "C-14088r2_chk",
"checktext": "1. Use either the ntdsutil.exe or the dsquery.exe utility to display the value for MaxConnIdleTime in the lDAPAdminLimits attribute. (See instructions in Supplementary Notes.)\n\n2. If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, then this is a finding.\n\nSupplemental Notes:\n\nTo use the \u201cntdsutil.exe\u201d utility to display MaxConnIdleTime:\n1. At a command line prompt enter ntdsutil \n2. At the \u201cntdsutil:\u201d prompt, enter LDAP policies \n3. At the \u201cldap policy:\u201d prompt, enter connections \n4. At the \u201cserver connections:\u201d prompt, enter connect to server [host-name] \n(Where [host-name] is the computer name of the domain controller.)\n5. At the \u201cserver connections:\u201d prompt, enter q \n6. At the \u201cldap policy:\u201d prompt, enter show values \n7. Enter q at the \u201cldap policy:\u201d and \u201cntdsutil:\u201d prompts to exit.\n\nTo use the \u201cdsquery.exe\u201d utility to display MaxConnIdleTime:\n1. At a command line prompt enter (on a single line):\ndsquery * \u201ccn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]\" attr lDAPAdminLimits \n(Where the quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed.)",
"description": "- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability. \n",
"fixid": "F-15003r2_fix",
"fixtext": "Configure the directory service to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.",
"iacontrols": [
"ECTM-1",
"ECTM-2"
],
"id": "V-14831",
"ruleID": "SV-16171r2_rule",
"severity": "low",
"title": "The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.",
"version": "DS00.3370_AD"
},
"V-15488": {
"checkid": "C-32057r1_chk",
"checktext": "Use the following procedure to check a sample of accounts.\n1. Open Active Directory Users and Computers.\n2. Select the Users node.\n3. For each User account sampled, right-click and select Properties.\n4. Select the Account tab.\n5. View the setting in Account Options area.\n6. Verify that the option \u201cSmart card is required for interactive logon\u201d is checked.\n",
"description": "CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.",
"fixid": "F-28436r1_fix",
"fixtext": "Configure user accounts in Active Directory to enable the option \u201cSmart card is required for interactive logon\u201d.",
"iacontrols": [
"IAIA-1",
"IAIA-2"
],
"id": "V-15488",
"ruleID": "SV-28511r3_rule",
"severity": "medium",
"title": "For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.",
"version": "AD.1033_2003"
},
"V-2370": {
"checkid": "C-9329r4_chk",
"checktext": "Verifying Group Policy Object Procedures - Site Policies:\n\n1. Start the Active Directory Sites and Services console (\u201cStart\u201d, \u201cRun\u2026\u201d, \u201cdssite.msc\u201d).\n\n2. Select and expand the Sites item in the left pane.\n\n3. For each AD site that is defined (building icon):\na. Right-click the AD site and select the Properties item.\nb. On the site Properties window, select the Group Policy tab.\nc. For *each* Group Policy Object Link:\nd. Select the Group Policy Object Link item.\ne. Select the Properties button.\nf. On the site Group Policy Properties window, select the Security tab.\ng. Compare the ACL of each site Group Policy to the specifications for Group Policy Objects below.\n\nGroup Policy Object Permissions:\n [Group Policy - e.g., Default Domain]\n\t:Administrators, SYSTEM\t:Full Control (F)\n\t:CREATOR OWNER\t\t:Full Control (F)\n\t:ENTERPRISE DOMAIN CONTROLLERS*\t :Read\n\t:Authenticated Users\t:Read,\n\t\t\t Apply Group Policy\n\t: [IAO-approved users \\ user groups] \t: Read,\n\t\t\t Apply Group Policy\n\n4. If the actual permissions for any AD site Group Policy object are not at least as restrictive as those above, then this is a finding.\n\nSupplemental Note:\nAn AD instance may have no AD site Group Policies defined.\n\n1. Groups containing authenticated users (such as the Authenticated Users group), other locally created user groups, and individual users may have the Read and Apply Group Policy permissions set to Allow or Deny.\n\n2. The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO.\n\n3. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO.",
"description": "When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\nFor AD, the Group Policy and OU objects require special attention. In a distributed administration model (such as might be used with a help desk or other user support staff), Group Policy and OU objects are more likely to have access permissions changed from the secure defaults.\n\nIf inappropriate access permissions are defined for Group Policy Objects, it could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).\n\nIf inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.\n",
"fixid": "F-14375r2_fix",
"fixtext": "Configure the access control permissions for the directory service database objects using the required access permissions. ",
"iacontrols": [
"ECAN-1",
"ECCD-1",
"ECCD-2",
"ECLP-1"
],
"id": "V-2370",
"ruleID": "SV-15602r3_rule",
"severity": "high",
"title": "The access control permissions for the directory service site group policy must be configured to use the required access permissions. ",
"version": "DS00.0130_AD"
},
"V-2373": {
"checkid": "C-32082r1_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis snap-in. \n\n2. Expand the Security Configuration and Analysis tree view.\n\n3. Navigate to Local Policies and select Security Options.\n\n4. If the value for \u201cDomain Controller: Allow server operators to schedule tasks\u201d is not set to \u201cDisabled\u201d, then this is a finding.",
"description": "This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.",
"fixid": "F-28439r1_fix",
"fixtext": "Set the value for \u201cDomain Controller: Allow server operators to schedule tasks\u201d to \u201cDisabled\u201d.\n\nThe policy referenced configures the following registry value:\nRegistry Hive: HKEY_LOCAL_MACHINE \nRegistry Path: \\System\\CurrentControlSet\\Control\\LSA\\\nValue Name: SubmitControl\nValue Type: REG_DWORD\nValue: 0\n",
"iacontrols": [
"ECSC-1"
],
"id": "V-2373",
"ruleID": "SV-2373r8_rule",
"severity": "medium",
"title": "The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.",
"version": "AD.3058"
},
"V-2376": {
"checkid": "C-468r2_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis tool.\n\n2. Expand the Security Configuration and Analysis tree view.\n\n3. Navigate to Account Policies -> Kerberos Policy.\n\n4. If the \u201cEnforce user logon restrictions\u201d is not set to \u2018Enabled\u2019, then this is a finding.",
"description": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default which is the most secure setting for validating access to target resources is not circumvented.",
"fixid": "F-5781r2_fix",
"fixtext": "Set the Kerberos policy option \u201cEnforce user logon restrictions\u201d to \u2018Enabled\u2019",
"iacontrols": [
"ECSC-1"
],
"id": "V-2376",
"ruleID": "SV-28495r2_rule",
"severity": "medium",
"title": "The Kerberos policy option must be configured to enforce user logon restrictions.",
"version": "AD.4029_2003"
},
"V-2377": {
"checkid": "C-32087r1_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis snap-in. \n\n2. Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Kerberos Policy. \n\n3. If the \u201cMaximum lifetime for service ticket\u201d is greater than \u2018600\u2019 minutes, then this is a finding.",
"description": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.",
"fixid": "F-5782r1_fix",
"fixtext": "Configure the Kerberos policy option Maximum lifetime for service ticket to a maximum of 600 minutes or less.",
"iacontrols": [
"ECSC-1"
],
"id": "V-2377",
"ruleID": "SV-28496r2_rule",
"severity": "medium",
"title": "The Kerberos service ticket maximum lifetime must meet minimum standards.",
"version": "AD.4030_2003"
},
"V-2378": {
"checkid": "C-470r2_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis snap-in.\n\n2. Expand the Security Configuration and Analysis tree view.\n\n3. Navigate to Account Policies -> Kerberos Policy.\n\n4. If the \u201cMaximum lifetime for user ticket\u201d is greater than \u201810\u2019 hours, then this is a finding.",
"description": "In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user\u2019s initial authentication to the domain controller results in a TGT which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that startup under a specified user account, users must always get a TGT first, then get Service Tickets to all computers and services accessed. ",
"fixid": "F-5783r2_fix",
"fixtext": "Set the Kerberos policy option \"maximum lifetime for user ticket\" to a maximum of 10 hours or less.",
"iacontrols": [
"ECSC-1"
],
"id": "V-2378",
"ruleID": "SV-28498r2_rule",
"severity": "medium",
"title": "The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less.",
"version": "AD.4031_2003"
},
"V-2379": {
"checkid": "C-471r2_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis.\n\n2. Expand the Security Configuration and Analysis tree view.\n\n3. Navigate to Account Policies -> Kerberos Policy.\n\n4. If the \u201cMaximum lifetime for user ticket renewal\u201d is greater than \u20187\u2019 days, then this is a finding.",
"description": "This setting determines the period of time (in days) during which a users TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.",
"fixid": "F-5784r2_fix",
"fixtext": "Configure the Kerberos policy option \"Maximum lifetime for user ticket renewal\" to a maximum of 7 days or less.",
"iacontrols": [
"ECSC-1"
],
"id": "V-2379",
"ruleID": "SV-28500r2_rule",
"severity": "medium",
"title": "The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.",
"version": "AD.4032_2003"
},
"V-2380": {
"checkid": "C-472r2_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis tool.\n\n2. Expand the Security Configuration and Analysis tree view.\n\n3. Navigate to Account Policies -> Kerberos Policy.\n\n4. If the \u201cMaximum tolerance for computer clock synchronization\u201d is greater than \u20185\u2019 minutes, then this is a finding.",
"description": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.",
"fixid": "F-5785r2_fix",
"fixtext": "Configure the Kerberos policy option Maximum tolerance for computer clock synchronization to a maximum of 5 minutes or less. ",
"iacontrols": [
"ECSC-1"
],
"id": "V-2380",
"ruleID": "SV-28504r2_rule",
"severity": "medium",
"title": "The Kerberos policy option Maximum tolerance for computer clock synchronization must be set to a maximum of 5 minutes or less. ",
"version": "AD.4033_2003"
},
"V-26683": {
"checkid": "C-14091r2_chk",
"checktext": "This check verifies the proper use of PKI certificates for the user accounts defined in the directory.\n\nAccount Certificate Procedures:\n- Ask the SA to identify one or more account entries in the directory, that the local SA group is responsible for, for which a PKI certificate has been imported.\n- Start the Active Directory Users and Computers console (\u201cStart\u201d, \u201cRun\u2026\u201d, \u201cdsa.msc\u201d).\n- Select the Users container or the OU in which the accounts identified by the SA are defined.\n For *each* of the accounts identified: \n-- Right-click the entry and select the Properties item.\n-- Select the Published Certificates tab.\n-- Examine the Issued By field for the certificates to determine the issuing CA.\n- If the Issued By field of any PKI certificate being stored with an account definition that the local SA group is responsible for does not indicate that the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, then this is a finding.",
"description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. ",
"fixid": "F-14336r1_fix",
"fixtext": "- Replace the unauthorized certificates with ones issued by the DoD PKI or an approved External Certificate Authority. \n",
"iacontrols": [
"IAKM-1",
"IAKM-2",
"IATS-1",
"IATS-2"
],
"id": "V-26683",
"ruleID": "SV-33885r1_rule",
"severity": "high",
"title": "PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). \n\n",
"version": "DS00.2141_2003"
},
"V-27109": {
"checkid": "C-32092r1_chk",
"checktext": "1. Use Registry Editor to navigate to HKLM\\System\\CurrentControlSet\\Services\\NtFrs\\Parameters.\n\n2. Note the value for: Working Directory.\n\n3. Checking the noted location in Windows Explorer, compare the ACLs of the FRS *directory* to the specifications below.\n\n4. If the permissions are not at least as restrictive as those below, then this is a finding.\n\nFRS Directory Permissions:\n ...\\Ntfrs\t\t:Administrators, SYSTEM\t\t: Full Control (F)",
"description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.",
"fixid": "F-14374r1_fix",
"fixtext": "- Change the access control permissions on the directory data files to conform to the following guidance : \n\nWindows Permissions:\n Administrators, CREATOR OWNER, SYSTEM\t\t : Full Control (F)\n [Directory server owner account\\group]\t\t : Full Control (F)\n [Directory server execution account\\group]\t\t : Full Control (F)\n [Other directory server group]\t\t\t : Read & Execute (R)\n [IAO-approved users \\ user groups]\t\t\t : Read & Execute (R)\n\nUNIX Permissions:\n root\t\t\t\t\t: Read\\Write\\Exec (7)\n [Directory server owner account\\group]\t\t: Read\\Write\\Exec (7)\n [Directory server execution account\\group]\t\t: Read\\Write\\Exec (7)\n [Other directory server group]\t\t\t: Read\\Exec (5)\n [IAO-approved users \\ user groups]\t\t\t: Read\\Exec (5)\n\n*Note* - As far as possible, no (0) access is to be defined for the \u201cgroup\u201d and\\or \u201cother\u201d permissions on UNIX directories or files containing sensitive data and directory backup files.\n",
"iacontrols": null,
"id": "V-27109",
"ruleID": "SV-34409r1_rule",
"severity": "medium",
"title": "Access Control permissions on the FRS Directory data files do not have proper access permissions.",
"version": "DS00.0121_2003"
},
"V-27119": {
"checkid": "C-32093r1_chk",
"checktext": "1. At a command line prompt enter \u201cnet share\u201d.\n\n2. Note the location for the SYSVOL share.\n\n3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT *directories* (GPT parent and GPT Policies directories) to the specifications below.\n\n4. If the permissions are not at least as restrictive as those below, then this is a finding.\n\nGPT Parent (SYSVOL) and GPT Policies Directories Permissions:\n ...\\SYSVOL\t \n\t:Administrators, SYSTEM\t\t: Full Control (F)\n\t:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents\n\t:CREATOR OWNER\t: Full Control (F) - \n\t\t\t - Subfolders and files only\n\n ...\\SYSVOL\\[domain]\\Policies\n\t: Administrators, SYSTEM\t\t:Full Control (F)\n\t:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents\n\t:CREATOR OWNER\t\t: Full Control (F) -\n\t\t\t\t- Subfolders and files only\n\t:Group Policy Creator Owners:\t: Read, Read & Execute, List Folder Contents, Modify, Write",
"description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n\nFor AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.",
"fixid": "F-7973r3_fix",
"fixtext": "Ensure the access control permissions on the AD database, log, and work files are set as follows:\n\n ...\\ntds.dit\t\t:Administrators, SYSTEM\t\t : Full Control (F)\n ...\\edb*.log, ...\\res*.log\t:Administrators, SYSTEM\t\t : Full Control (F)\n ...\\temp.edb, ...\\edb.chk\t:Administrators, SYSTEM\t\t : Full Control (F)",
"iacontrols": [
"ECAN-1",
"ECCD-1",
"ECCD-2"
],
"id": "V-27119",
"ruleID": "SV-34425r1_rule",
"severity": "high",
"title": "Access control permissions on the GPT directory files must comply with the required guidance.",
"version": "DS00.0122_2003"
},
"V-2906": {
"checkid": "C-12539r3_chk",
"checktext": "1. Obtain permission to run the John the Ripper utility. \n\n2. Ensure that the team lead has notified the site that the review will require running the John the Ripper utility. Also, include this information in the in-brief. \n\n3. Obtain an account with administrator rights from which to run the script. \n\n4. To run the script, double click on \u2018pwchk.cmd\u2019\n\n5. When prompted to save the output to floppy (Y/N). If Yes, then insert a floppy disk. The output files will be copied to drive A. If No is selected, the output is saved to the hard drive in the directory C:\\temp\\srr\\output and no option to remove the output is provided.\n\n6. If save to the A drive was selected, follow the prompt to remove the output from the hard drive (Y/N). If Yes is selected, the output is sent to the recycle bin. If No is selected, then the output is maintained in the C:\\temp\\srr\\output directory. \n\n7. The output consists of four files. Review the output and consider a password cracked only if a recognizable portion of the password has been identified. This is because the Easycheck.txt and Hybridcheck.txt output reflect passwords as being cracked, even if only one character has been identified. \n\n8. Count how many passwords were cracked. If weak passwords are uncovered, verify that a complex password filter is installed properly (i.e., PPE, etc.) and that it is configured to enforce password complexity requirements (PPE \u2013 14 characters, mix of upper case letters, and at least one each of the following: lower case letters, numbers, and special characters.\n\n9. Remove output files from the machine and properly store or destroy printed output. \n\n10. If a password filter is not installed and configured, then this is a finding.\n\n11. If output from the password strength checking scripts indicates that there are weak passwords on the system, then this is a finding.\n\nSupplementary Notes:\n\nUse Notepad to view the output files. Note that the following various example files indicate the absence of a password: \u201dGuest:NO PASSWORD:501::\u201d, and would be a finding.\n\nEasycheck.txt contains a list of passwords where one or more characters were easily discovered. \n---------EXAMPLE of Easycheck.txt output file------------------------------------------------\nAdministrator:NO PASSWORD:500:::\nGuest:NO PASSWORD:501:::\n2 password hashes cracked, 9 left\n---------------------------------------------------------------------------------------------------------\n\nHybridcheck.txt contains a list of passwords where one or more characters were discovered using the rules and/or dictionary. \n---------EXAMPLE of Hybridcheck.txt output file------------------------------------------------\nAdministrator:NO PASSWORD:500:::\nGuest:NO PASSWORD:501:::\nTestUser2:password:1110:::\nTestUser3:superman:1111:::\n4 password hashes cracked, 7 left\n---------------------------------------------------------------------------------------------------------\n\n127.0.0.1.pwdump contains the local SAM file that John the Ripper uses to crack passwords. \n---------EXAMPLE of 127.0.0.1.pwdump output file--------------------------------------------\nAdministrator:500:NO PASSWORD*********************:NO PASSWORD*********************:::\nGuest:501:NO PASSWORD*********************:NO PASSWORD*********************:::\nkrbtgt:502:NO PASSWORD*********************:47C4F34CF03E2A9AD81EB85CA0888F77:::\nSUPPORT_388945a0:1001:NO PASSWORD*********************:4BD973FA18F1605670C35FD02580F3BB:::\nTestUser:1108:E6AE98BD19BBF81DBFB9CD018740B5B8:7B5B74F147638B6A24D78A1E3880A2DE:::\nTestUser1:1109:NO PASSWORD*********************:F97DCC88373417A0D7E59AD9B2ADE86D:::\nTestUser1_history_0:1109:42791C31A0391A6F72B29400B120B36D:D6E7767D7AB3EB0DF541057F13A502D3:::\nTestUser2:1110:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::\nTestUser2_history_0:1110:73B62BA474E6B300D553083889BF4874:7ECFFFF0C3548187607A14BAD0F88BB1:::\nTestUser3:1111:NO PASSWORD*********************:72F5CFA80F07819CCBCFB72FEB9EB9B7:::\nDISATEST-W2K3DC$:1005:NO PASSWORD*********************:451135221C2FEB938E684CD685388BD2:::\n---------------------------------------------------------------------------------------------------------\n\nJohn.pot contains the hash and the character(s) of the passwords that were cracked. Note: Open this file using Notepad. Sample of John.pot hash file:\n---------EXAMPLE of John.pot output file-------------------------------------------------------\n$NT$8846F7EAEE8FB117AD06BDD830B7586C:password\n$NT$72F5CFA80F07819CCBCFB72FEB9EB9B7:superman\n---------------------------------------------------------------------------------------------------------",
"description": "Weak passwords are easly broken with readily available hacker tools. They can give an intruder access to the system with the privileges of the account whose password was broken.",
"fixid": "F-5786r3_fix",
"fixtext": "Install and configure a complex password filter to enforce DoD password complexity requirements. \n",
"iacontrols": [
"IAIA-1"
],
"id": "V-2906",
"ruleID": "SV-28509r2_rule",
"severity": "medium",
"title": "A complex password filter must be installed and configured. ",
"version": "AD.4034_2003"
},
"V-4408": {
"checkid": "C-32084r1_chk",
"checktext": "1. Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.\n\n2. Navigate to Local Policies and select Security Options.\n\n3. If the value for \u201cDomain Controller: Refuse machine account password changes\u201d is set to \"Enabled\", then this is a finding.",
"description": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.",
"fixid": "F-28441r1_fix",
"fixtext": "Set the value for \u201cDomain Controller: Refuse machine account password changes\u201d to \u201cDisabled\u201d.\n\nThe policy referenced configures the following registry value:\n\nRegistry Hive: HKEY_LOCAL_MACHINE \nRegistry Path: \\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\\n\nValue Name: RefusePasswordChange\n\nValue Type: REG_DWORD\nValue: 0\n",
"iacontrols": [
"ECSC-1"
],
"id": "V-4408",
"ruleID": "SV-33883r1_rule",
"severity": "low",
"title": "The domain controller must be configured to allow reset of machine account passwords.",
"version": "AD.3107_2003"
},
"V-8316": {
"checkid": "C-7636r3_chk",
"checktext": "I. AD Database, Log, and Work Files\n1. Use Registry Editor to navigate to HKLM\\System\\CurrentControlSet\\Services\\NTDS\\Parameters.\n\n2. Note the values for: \n-- DSA Database file \n-- Database log files path \n-- DSA Working Directory. \n\n3. Navigate to the directory locations using Windows Explorer.\n\n4. Verify the ACLs of the AD database, log, and work files with the following:\nAD Database, Log, and Work Files Permissions:\n ...\\ntds.dit\t\t:Administrators, SYSTEM\t\t : Full Control (F)\n ...\\edb*.log, ...\\res*.log\t:Administrators, SYSTEM\t\t : Full Control (F)\n ...\\temp.edb, ...\\edb.chk\t:Administrators, SYSTEM\t\t : Full Control (F)\n\n[Note: The directory in which these files reside (usually ...\\NTDS) may have permissions defined for CREATOR OWNER and Local Service, but these permissions apply at the directory level only, not to the individual files identified here.] \n\n5. If the permissions are not at least as restrictive as required, then this is a finding.",
"description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n",
"fixid": "F-7973r3_fix",
"fixtext": "Ensure the access control permissions on the AD database, log, and work files are set as follows:\n\n ...\\ntds.dit\t\t:Administrators, SYSTEM\t\t : Full Control (F)\n ...\\edb*.log, ...\\res*.log\t:Administrators, SYSTEM\t\t : Full Control (F)\n ...\\temp.edb, ...\\edb.chk\t:Administrators, SYSTEM\t\t : Full Control (F)",
"iacontrols": [
"ECAN-1",
"ECCD-1",
"ECCD-2"
],
"id": "V-8316",
"ruleID": "SV-15601r3_rule",
"severity": "high",
"title": "Access control permissions on the AD database, log, and work files must conform to the required guidance. ",
"version": "DS00.0120_2003"
},
"V-8317": {
"checkid": "C-14105r2_chk",
"checktext": "1. Refer to the AD database, log, and work file information obtained in check V-8316. Note the logical drive (e.g., \u201cC:\u201d) on which the files are located.\n\n2. Determine if the server is currently providing file sharing services to users by typing the following command: \nEnter \u201cnet share\u201d at a command line prompt.\n\n3. Record the logical drive(s) or file system partition for any site-created data shares.\n(Ignore all system (Windows NETLOGON, SYSVOL, and administrative (ending in $)) shares. User shares that are hidden, ending with $, should not be ignored.)\n\n4. If data files owned by users are located on the same logical partition as the directory server database, log, or work files, then this is a finding.",
"description": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files that share a partition may be configured with less restrictive permissions in order to allow access to the user data. \n\nThe directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent that prevents the directory service from acquiring more space for directory or audit data.\n",
"fixid": "F-14373r2_fix",
"fixtext": "Ensure the directory server data files are stored on a different logical partition then the files owned by users.",
"iacontrols": [
"DCSP-1"
],
"id": "V-8317",
"ruleID": "SV-31551r1_rule",
"severity": "medium",
"title": "The directory server data files must be located on a different logical partition from the data files owned by users. ",
"version": "DS00.1190_AD"
},
"V-8320": {
"checkid": "C-14106r2_chk",
"checktext": "This check examines only the Windows Support Tools. If none of the tools are installed, then this check is not applicable. \n\n1. Start Windows Explorer.\n\n2. Right-click the \u201cMy Computer\u201d item and select \u201cSearch\u2026\u201d\n\n3. Type \u201cSupport\" in the file name field.\n\n4. Select \u201cLocal Hard Drives\u201d in the \u201cLook in:\u201d field.\n\n5. Click the Search [or Search Now] button.\n\n6. Record the location for the \u201cSupport Tools\u201d directory. The SA may have installed the Support Tools under an alternate name. If the default directory is not found, ask the SA.\n\n7. If the directory is not found and the SA confirms that the Support Tools are not installed, then this check is not applicable.\n\n8. Using the recorded location, compare the current ACL of the Support Tools directory to the following:\n\nWindows Support Tools Permissions:\n ...\\Support Tools\t :Administrators, SYSTEM\t\t:Full Control (F)\n\t\t: [IAO-approved users \\ user groups] :Read, Read & Execute, List Folder Contents\n\n9. If the folder permissions are not at least as restrictive as required, then this is a finding.",
"description": "Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way a directory server operates. This could lead to a compromise of the confidentiality, availability, and integrity of directory data.\n\nSome administration tool packages (such as the Windows Support Tools) include programs designed to perform updates on directory configuration and database data. Even though the directory data should be protected through file and object access permissions, allowing unauthorized access to administrative programs provides a potential attacker with tools that are already installed in the environment.",
"fixid": "F-28705r1_fix",
"fixtext": "Configure the directory service as follows:\n\nWindows Support Tools Permissions:\n ...\\Support Tools\t :Administrators, SYSTEM\t\t:Full Control (F)\n\t\t: [IAO-approved users \\ user groups] :Read, Read & Execute, List Folder Contents\n",
"iacontrols": [
"DCSL-1"
],
"id": "V-8320",
"ruleID": "SV-31549r1_rule",
"severity": "medium",
"title": "Directory server directories and files must be configured with required permissions. ",
"version": "DS00.1150_AD"
},
"V-8322": {
"checkid": "C-7641r4_chk",
"checktext": "1. With the assistance of the SA or application SA, determine if a time synchronization tool has been implemented on the Windows domain controller.\n\n2. If these Windows checks indicate a finding because the NtpClient is not enabled, ask the SA to demonstrate that an alternate time synchronization tool is installed and enabled.\n\n3. If the Windows Time Service is not enabled and no alternate tool is enabled, then this is a finding.\n\nCheck procedures for Windows Time Service:\nIf the Windows Time Service is used, the following procedures apply.\n\n1. Use Registry Editor to navigate to HKLM\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpClient.\n\n2. If the value for \u201cEnabled\u201d is not \u201c1\u201d, then this is a finding.\n\n3. Use Registry Editor to navigate to HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Parameters.\n\n4. If the value for \u201cType\u201d is not \u201cNT5DS\u201d (preferred), \u201cNTP\u201d or \u201cAllSync\u201d, then this is a finding.",
"description": "- When a directory service that uses multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly.\n- The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a source of forensic evidence in an incident investigation.\n- In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.\n",
"fixid": "F-7980r3_fix",
"fixtext": "Install or enable time synchronization on the directory service server. ",
"iacontrols": [
"ECTM-1",
"ECTM-2"
],
"id": "V-8322",
"ruleID": "SV-31548r1_rule",
"severity": "medium",
"title": "Install or enable time synchronization on the directory service server. ",
"version": "DS00.0150_AD"
},
"V-8324": {
"checkid": "C-13256r2_chk",
"checktext": "If Windows Time Service is used as the time synchronization tool, use the following procedures to determine if logging is configured to capture time source switches.\n\nWindows Time Service \n1. Use Registry Editor to navigate to HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Config.\n\n2. If the value for \u201cEventLogFlags\u201d is not \u201c2\u201d, then this is a finding.\n\n\nIf the NTP daemon or another tool is used as the time synchronization tool, use the following proceudres.\n\n1. Request the assistance of the SA or application SA to determine if the tool is logging time source changes.\n\n2. Review the available configuration options and logs.\n\n3. If the tool has time source logging capability and it is not enabled, then this is a finding.",
"description": "When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or impossible to detect malicious activity or availability problems.",
"fixid": "F-14380r2_fix",
"fixtext": "Update the time synchronization tool configuration so that time source switching is logged.\n",
"iacontrols": [
"ECTM-1",
"ECTM-2"
],
"id": "V-8324",
"ruleID": "SV-8819r3_rule",
"severity": "low",
"title": "The time synchronization tool must be configured to enable logging of time source switching.",
"version": "DS00.0151_AD"
},
"V-8326": {
"checkid": "C-14107r2_chk",
"checktext": "1. Display the programs that are running on the directory server by starting the Services console (Start, Run, \"services.msc\").\n\n2. Determine if any running programs are application components. Check if any application-related services have the \u201cStarted\u201d status.\n\nExamples of some services that indicate the presence of applications are: \n- DHCP Server for DHCP server\n- IIS Admin Service for IIS web server\n- Microsoft Exchange System Attendant for Exchange\n- MSSQLServer for SQL Server.\n\n3. If any application-related components have the \u201cStarted\u201d status, then this is a finding.\n\nSupplemental Notes:\n\nAny Domain Name System (DNS) server that is integrated with the directory server (e.g., AD-integrated DNS) *is* an acceptable application. However, the DNS server must comply with the DNS STIG security requirements.\n\nSome directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are *dedicated* to directory server support and only administrative users have access to them.",
"description": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts that increase the attack surface of the computer. \n\nSome applications require the addition of privileged accounts that provide potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services that conflict with the directory server. In that case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.",
"fixid": "F-14381r2_fix",
"fixtext": "Remove the web, database, e-mail, or other application from the domain controller.",
"iacontrols": [
"DCSP-1"
],
"id": "V-8326",
"ruleID": "SV-31550r1_rule",
"severity": "medium",
"title": "The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function. ",
"version": "DS00.1180_AD"
},
"V-8327": {
"checkid": "C-14108r2_chk",
"checktext": "1. Start the Services console (Start, Run, \u201cservices.msc\u201d).\n\n2. Check the Startup Type field for the following Windows services: \n- Distributed File System\n- DNS Client \n- File Replication Service \n- Intersite Messaging \n- Kerberos Key Distribution Center \n- Net Logon \n- Windows Time.\n\n3. If the Startup Type for any of these services is not Automatic, then this is a finding.\n\nSupplemental Notes:\n\nThe Windows Time service is not required if another time synchronization tool is implemented to start automatically.\n\nThe Distributed File System is not required if the site is not utilizing this service and can be disabled.\n",
"description": "AD is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services are manually started. This could result in a failure to replicate data or to support client authentication and authorization requests.",
"fixid": "F-15016r2_fix",
"fixtext": "Configure OS services that are critical for directory server operation for automatic startup. ",
"iacontrols": [
"ECTM-1",
"ECTM-2"
],
"id": "V-8327",
"ruleID": "SV-31553r1_rule",
"severity": "medium",
"title": "OS services that are critical for directory server operation must be configured for automatic startup. \n",
"version": "DS00.3260_AD"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-12780": "true",
"V-14783": "true",
"V-14789": "true",
"V-14797": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8317": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-12780": "true",
"V-14789": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8317": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-12780": "true",
"V-14789": "true",
"V-14797": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8317": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-12780": "true",
"V-14783": "true",
"V-14789": "true",
"V-14797": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8317": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-12780": "true",
"V-14789": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8317": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-12780": "true",
"V-14789": "true",
"V-14797": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8317": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-12780": "true",
"V-14783": "true",
"V-14789": "true",
"V-14797": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-12780": "true",
"V-14789": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-12780": "true",
"V-14789": "true",
"V-14797": "true",
"V-14798": "true",
"V-14820": "true",
"V-14831": "true",
"V-15488": "true",
"V-2370": "true",
"V-2373": "true",
"V-2376": "true",
"V-2377": "true",
"V-2378": "true",
"V-2379": "true",
"V-2380": "true",
"V-26683": "true",
"V-27109": "true",
"V-27119": "true",
"V-2906": "true",
"V-4408": "true",
"V-8316": "true",
"V-8320": "true",
"V-8322": "true",
"V-8324": "true",
"V-8326": "true",
"V-8327": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "active_directory_service_2003",
"title": "Active Directory Service 2003 Security Technical Implementation Guide (STIG)",
"version": "2"
}
}