UCF STIG Viewer Logo

Active Directory Service 2008 Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (26)
2011-05-23 CAT I (High): 6 CAT II (Med): 16 CAT III (Low): 4
STIG Description
This STIG is applicable for all Windows 2008 servers with the Windows Active Directory Domain Services (AD DS). The settings required by each check will be applied to each Domain Controller running the AD DS. The system must also be reviewed using the Windows 2008 (or 2008 R2) and the Active Directory Domain STIGs. Also, if a forest architecture is implemented, a security review using the Active Directory Forest STIG is required.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-26683 High PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-2370 High The access control permissions for the directory service site group policy must be configured to use the required access permissions.
V-14820 High PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
V-14798 High Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
V-8316 High Directory service data files do not have proper access permissions.
V-12780 High The Synchronize Directory Service Data user right must not be assigned to any account.
V-2380 Medium The Kerberos policy option "Maximum tolerance for computer clock synchronization" must be set to a maximum of 5 minutes or less.
V-2906 Medium Ensure a complex password filter is installed and configured to enforce password complexity requirements.
V-27109 Medium Access Control permissions on the FRS Directory data files do not have proper access permissions.
V-8326 Medium The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function.
V-8327 Medium OS services that are critical for directory server operation must be configured for automatic startup.
V-8320 Medium Directory server directories and files must be configured with required permissions.
V-8322 Medium Install or enable time synchronization on the directory service server.
V-2373 Medium The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
V-14783 Medium Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
V-2377 Medium The Kerberos service ticket maximum lifetime must meet minimum standards.
V-2376 Medium The Kerberos policy option must be configured to enforce user logon restrictions.
V-2379 Medium The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.
V-2378 Medium The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less.
V-15488 Medium For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
V-8317 Medium The directory server data files must be located on a different logical partition from the data files owned by users.
V-14789 Medium Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG.
V-8324 Low The time synchronization tool must be configured to enable logging of time source switching.
V-14797 Low Anonymous access to the root DSE of a non-public directory must be disabled.
V-14831 Low The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
V-4408 Low The domain controller must be configured to allow reset of machine account passwords.