| Finding ID |
Severity |
Title |
Description |
|
V-243483
|
High |
A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. |
The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between a DoD organization and a non-DoD organization, the security posture of the two organizations might... |
|
V-243482
|
High |
Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. |
If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure access between resources of different classification levels, the solution must meet discretionary access control requirements. There are currently, no DOD- approved solutions.
Further Policy Details: Do not define trust relationships... |
|
V-243470
|
High |
Delegation of privileged accounts must be prohibited. |
Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing privileged accounts to be trusted for delegation provides a means for privilege escalation from a compromised system. |
|
V-243467
|
High |
Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. |
The Domain Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. Only system administrator accounts used exclusively to manage an Active Directory domain and domain controllers may be members of the... |
|
V-243466
|
High |
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. |
The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. Only system administrator accounts used exclusively to manage the Active Directory Forest may be members of the Enterprise Admins group.... |
|
V-269097
|
Medium |
Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS). |
Although Kerberos logging can be used for troubleshooting, it can also provide security information for successful and failed login attempts. If a malicious actor uses a forged or unauthorized certificate to complete Kerberos PKINIT authentication, the Kerberos Authentication Service success audit in event 4768 can be used to detect the... |
|
V-243500
|
Medium |
Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high. |
In Active Directory (AD) architecture, multiple domain controllers provide availability through redundancy. If an AD domain or servers within it have an Availability categorization of medium or high and the domain is supported by only a single domain controller, an outage of that machine can prevent users from accessing resources... |
|
V-243498
|
Medium |
If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). |
To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not allow that data to be processed through an intrusion detection system (IDS) that could detect data from a compromised system or malicious client.
Further policy details:Replace the... |
|
V-243497
|
Medium |
Inter-site replication must be enabled and configured to occur at least daily. |
Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. In AD implementation using AD Sites, domain controllers defined to be in different AD Sites require Site links to specify properties for replication scheduling.
If AD Site... |
|
V-243496
|
Medium |
Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups. |
Membership in certain default directory groups assigns a high privilege level for access to the directory. In AD, membership in the following groups enables high privileges relative to AD and the Windows OS: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders.
When accounts... |
|
V-243495
|
Medium |
A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. |
The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentication, and resource authorization services. At a minimum, LDAP or LDAPS is usually required for communication with every domain controller. DoD Ports, Protocols, and Services Management (PPSM) policy restricts the use... |
|
V-243493
|
Medium |
Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly. |
Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or malicious corruption. A failure to recover from the loss of directory data used in identification and authentication services (i.e., Active Directory) could result in an extended loss... |
|
V-243492
|
Medium |
Systems must be monitored for remote desktop logons. |
Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstations. Monitoring for any Remote Desktop logins outside of expected activity can alert on suspicious behavior and anomalous account usage that could be indicative of potential malicious credential reuse. |
|
V-243491
|
Medium |
Systems must be monitored for attempts to use local accounts to log on remotely from other systems. |
Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack. |
|
V-243490
|
Medium |
Usage of administrative accounts must be monitored for suspicious and anomalous activity. |
Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse. |
|
V-243489
|
Medium |
Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. |
The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the interal domain controller or forest can be compromised.
RODC is considered part of the site's Forest or Domain installation since... |
|
V-243487
|
Medium |
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited. |
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary membership increases the risk from compromise or unintended updates. Members of these groups must specifically require those privileges and be documented. |
|
V-243486
|
Medium |
The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group. |
The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group.
When the Anonymous Logon or... |
|
V-243485
|
Medium |
Selective Authentication must be enabled on outgoing forest trusts. |
Enabling Selective Authentication on outbound Active Directory (AD) forest trusts significantly strengthens access control by requiring explicit authorization (through the Allowed to Authenticate permission) on resources in the trusting forest. When Selective Authentication is not enabled, less secure resource access permissions (such as those that specify Authenticated Users) might permit... |
|
V-243484
|
Medium |
Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. |
Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights. To help prevent this type of attack, SID filter quarantining is... |
|
V-243481
|
Medium |
Access to need-to-know information must be restricted to an authorized community of interest. |
Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access control at the domain or forest level in which the resource resides. To mitigate this risk, trust relationships must be documented so that they can be readily verified during periodic... |
|
V-243480
|
Medium |
The domain functional level must be at a Windows Server version still supported by Microsoft. |
Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and forest as advanced features of the directory are not available. This also prevents the addition of domain controllers to the domain using Windows Server versions prior to... |
|
V-243479
|
Medium |
The Directory Service Restore Mode (DSRM) password must be changed at least annually. |
The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someone with local access to the DC can reboot the server and copy or modify the Active Directory... |
|
V-243478
|
Medium |
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation. |
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required. |
|
V-243477
|
Medium |
User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher. |
User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. The Protected Users group provides extra protections to accounts such as preventing authentication using NTLM.
These accounts include Enterprise and Domain Admins as well as other accounts that may have domain level privileges.
The Protected Users... |
|
V-243476
|
Medium |
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days. |
When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and reenabling the "Smart card is required for interactive logon"... |
|
V-243475
|
Medium |
Domain controllers must be blocked from Internet access. |
Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed to numerous attacks and compromise the domain. Restricting Internet access for domain controllers will aid in protecting these privileged areas from being compromised. |
|
V-243473
|
Medium |
Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers. |
Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this is not possible, lateral movement from these servers must be mitigated within the forest. Having different domain accounts for administering domain joined public facing servers, from domain accounts used on internal servers,... |
|
V-243472
|
Medium |
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. |
A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys for the EA/DA accounts to less secure user platforms when the other accounts are used. Having different certificates on one card does not provide the necessary separation. The same smart card... |
|
V-243471
|
Medium |
Local administrator accounts on domain systems must not share the same password. |
Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharing the same password for local administrator accounts on domain systems will allow an attacker to move laterally and compromise multiple domain systems. |
|
V-243469
|
Medium |
Administrators must have separate accounts specifically for managing domain workstations. |
Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system administrator accounts used exclusively to manage domain workstations may be members of an administrators group for domain workstations. A separation of administrator responsibilities helps mitigate the risk... |
|
V-243468
|
Medium |
Administrators must have separate accounts specifically for managing domain member servers. |
Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system administrator accounts used exclusively to manage domain member servers may be members of an administrator group for domain member servers. A separation of administrator responsibilities helps mitigate... |
|
V-243501
|
Low |
The impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented. |
When incidents occur that require a change in the Cyber Protection Conditions (CPCON) with the release of USSCI 5200-13 status, it may be necessary to take action to restrict or disable certain types of access based on a directory outside the Component's control. Cross-directory configurations (such as trusts and pass-through... |
|
V-243499
|
Low |
Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high. |
When an incident occurs that requires multiple Active Directory (AD) domain controllers to be rebuilt, it is critical to understand the AD hierarchy and replication flow so that the correct recovery sequence and configuration values can be selected. Without appropriate AD forest, tree and domain structural documentation, it may be... |
|
V-243494
|
Low |
Each cross-directory authentication configuration must be documented. |
Active Directory (AD) external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in other directories). If specific baseline documentation of authorized AD external, forest, and realm trust configurations is not maintained, it is impossible to determine if the configurations are... |
|
V-243488
|
Low |
User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. |
In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user support staff.) This is done to avoid the need to assign users to Windows groups with more widely ranging privileges. If a user with... |
