| V-243466 | | Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. | The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using ... |
| V-243467 | | Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. | The Domain Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using acco... |
| V-243470 | | Delegation of privileged accounts must be prohibited. | Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing privileged accounts to be ... |
| V-243482 | | Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. | If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure access between resources... |
| V-243483 | | A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. | The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or ... |
| V-243468 | | Administrators must have separate accounts specifically for managing domain member servers. | Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system a... |
| V-243469 | | Administrators must have separate accounts specifically for managing domain workstations. | Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system a... |
| V-243471 | | Local administrator accounts on domain systems must not share the same password. | Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharing the same password for l... |
| V-243472 | | Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. | A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys for the EA/DA accounts to l... |
| V-243473 | | Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers. | Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this is not possible, lateral m... |
| V-243475 | | Domain controllers must be blocked from Internet access. | Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed to numerous attacks and co... |
| V-243476 | | All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days. | When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not c... |
| V-243477 | | User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher. | User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. The Protected Users group prov... |
| V-243478 | | Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation. | Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it mus... |
| V-243479 | | The Directory Service Restore Mode (DSRM) password must be changed at least annually. | The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very p... |
| V-243480 | | The domain functional level must be at a Windows Server version still supported by Microsoft. | Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and f... |
| V-243481 | | Access to need-to-know information must be restricted to an authorized community of interest. | Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access con... |
| V-243484 | | Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. | Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the... |
| V-243485 | | Selective Authentication must be enabled on outgoing forest trusts. | Enabling Selective Authentication on outbound Active Directory (AD) forest trusts significantly strengthens access control by requiring explicit autho... |
| V-243486 | | The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group. | The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated acces... |
| V-243487 | | Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited. | Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary ... |
| V-243489 | | Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. | The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured ... |
| V-243490 | | Usage of administrative accounts must be monitored for suspicious and anomalous activity. | Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential mal... |
| V-243491 | | Systems must be monitored for attempts to use local accounts to log on remotely from other systems. | Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack.... |
| V-243492 | | Systems must be monitored for remote desktop logons. | Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstations. Monitoring for any... |
| V-243493 | | Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly. | Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or m... |
| V-243495 | | A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. | The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentication, and resource autho... |
| V-243496 | | Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups. | Membership in certain default directory groups assigns a high privilege level for access to the directory. In AD, membership in the following groups e... |
| V-243497 | | Inter-site replication must be enabled and configured to occur at least daily. | Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. I... |
| V-243498 | | If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). | To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not ... |
| V-243500 | | Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high. | In Active Directory (AD) architecture, multiple domain controllers provide availability through redundancy. If an AD domain or servers within it have... |
| V-269097 | | Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS). | Although Kerberos logging can be used for troubleshooting, it can also provide security information for successful and failed login attempts. If a mal... |
| V-243488 | | User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. | In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user su... |
| V-243494 | | Each cross-directory authentication configuration must be documented. | Active Directory (AD) external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in othe... |
| V-243499 | | Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high. | When an incident occurs that requires multiple Active Directory (AD) domain controllers to be rebuilt, it is critical to understand the AD hierarchy a... |
| V-243501 | | The impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented. | When incidents occur that require a change in the Cyber Protection Conditions (CPCON) with the release of USSCI 5200-13 status, it may be necessary to... |
