UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14783 DS00.3281_AD SV-16169r2_rule ECCT-2 ECNK-2 Medium
Description
Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network or when SAMI data is included.
STIG Date
Active Directory Service 2008 Security Technical Implementation Guide (STIG) 2011-05-23

Details

Check Text ( C-14086r2_chk )
1. Interview the Application SA.

2. With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted.

3. Determine the classification level of the Windows domain controller.

4. If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic.

5. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, then this is a finding.
Fix Text (F-15001r2_fix)
Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfers replication data through a network cleared to a lower level than the data.