| V-26683 ||High ||PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
||A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have... |
| V-2370 ||High ||The access control permissions for the directory service site group policy must be configured to use the required access permissions. ||When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or... |
| V-14820 ||High ||PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). ||A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have... |
| V-14798 ||High ||Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. ||To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as... |
| V-8316 ||High ||Directory service data files do not have proper access permissions. ||Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
| V-12780 ||High ||The Synchronize Directory Service Data user right must not be assigned to any account. ||A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise... |
| V-2380 ||Medium ||The Kerberos policy option "Maximum tolerance for computer clock synchronization" must be set to a maximum of 5 minutes or less. ||This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two... |
| V-2906 ||Medium ||Ensure a complex password filter is installed and configured to enforce password complexity requirements.
||Weak passwords are easily broken with readily available hacker tools. They can give an intruder access to the system with the privileges of the account whose password was broken. |
| V-27109 ||Medium ||Access Control permissions on the FRS Directory data files do not have proper access permissions. ||Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. |
| V-8326 ||Medium ||The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function. ||Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require... |
| V-8327 ||Medium ||OS services that are critical for directory server operation must be configured for automatic startup.
||AD is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services... |
| V-8320 ||Medium ||Directory server directories and files must be configured with required permissions. ||Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way... |
| V-8322 ||Medium ||Install or enable time synchronization on the directory service server. ||- When a directory service that uses multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly.
- The... |
| V-2373 ||Medium ||The Server Operators group must have the ability to schedule jobs by means of the AT command disabled. ||This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks... |
| V-14783 ||Medium ||Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. ||Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network or when SAMI data is included. |
| V-2377 ||Medium ||The Kerberos service ticket maximum lifetime must meet minimum standards. ||This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new... |
| V-2376 ||Medium ||The Kerberos policy option must be configured to enforce user logon restrictions. ||This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is... |
| V-2379 ||Medium ||The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less. ||This setting determines the period of time (in days) during which a users ticket-granting ticket (TGT) may be renewed. |
| V-2378 ||Medium ||The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less. ||In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is... |
| V-15488 ||Medium ||For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
||CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password... |
| V-8317 ||Medium ||The directory server data files must be located on a different logical partition from the data files owned by users. ||When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory... |
| V-14789 ||Medium ||Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG.
||Unlike vendor programs that might be recovered by purchasing and\or downloading a replacement copy, the lack of a backup for locally written (non-vendor) code could result in the inability to... |
| V-8324 ||Low ||The time synchronization tool must be configured to enable logging of time source switching. ||When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or... |
| V-14797 ||Low ||Anonymous access to the root DSE of a non-public directory must be disabled. ||Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example,... |
| V-14831 ||Low ||The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity. ||- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an... |
| V-4408 ||Low ||The domain controller must be configured to allow reset of machine account passwords. ||Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to... |