Active Directory Domain Security Technical Implementation Guide (STIG)

This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Servers operating systems. These requirements apply to the domain and can typically be reviewed once per AD domain. The separate Active Directory Forest STIG contains forest level requirements. Systems must also be reviewed using the applicable Windows STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V2R5

Published: 2014-10-14

Updated At: 2018-09-23 01:25:54

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-9018r3_rule AD.0260 CCI-000366 LOW User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user support staff.) This is done to avoid the need to assign users to Windows groups with more widely ranging p
    SV-30991r3_rule DS00.1140_AD CCI-002418 MEDIUM A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentication, and resource authorization services. At a minimum, LDAP or LDAPS is usually required for communication with every domain co
    SV-30994r3_rule DS00.4140_AD CCI-000067 MEDIUM If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not allow that data to be processed through an intrusion detection system (IDS) that could detect data from a
    SV-30996r2_rule DS00.6140_AD CCI-000366 MEDIUM When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers. In AD architecture, multiple domain controllers provide availability through redundancy. If an AD domain or servers within it are designated as MAC I or II and the domain is supported by only a single domain controller, an outage of that machine can preve
    SV-30995r3_rule DS00.6120_AD CCI-000366 LOW AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure. When an incident occurs that requires multiple AD domain controllers to be rebuilt, it is critical to understand the AD hierarchy and replication flow so that the correct recovery sequence and configuration values can be selected. Without appropriate AD f
    SV-31214r2_rule DS00.7100_AD CCI-000366 LOW The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented. When incidents occur that require a change in the INFOCON status, it may be necessary to take action to restrict or disable certain types of access that is based on a directory outside the Component’s control. Cross-directory configurations (such as tru
    SV-30989r2_rule DS00.1120_AD CCI-000366 LOW Each cross-directory authentication configuration must be documented. AD external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in other directories). If specific baseline documentation of authorized AD external, forest, and realm trust configurations is not
    SV-9030r2_rule AD.0170 CCI-000366 MEDIUM Access to need-to-know information must be restricted to an authorized community of interest. Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access control at the domain or forest level in which the resource resides. To mitigate this risk, trust relationsh
    SV-9031r2_rule AD.0180 CCI-000366 HIGH Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure access between resources of different classification levels, the solution must meet discretionary access control requirements. Th
    SV-9033r2_rule AD.0181 CCI-000366 HIGH A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between a DoD organization and a non-DoD organization, the securi
    SV-9035r2_rule AD.0190 CCI-000764 MEDIUM Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unautho
    SV-9037r2_rule AD.0200 CCI-000213 MEDIUM Selective Authentication must be enabled on the outgoing forest trust. Outbound AD forest trusts can be configured with the Selective Authentication option. Enabling this option significantly strengthens access control by requiring explicit authorization (through the Allowed to Authenticate permission) on resources in the tr
    SV-9044r2_rule AD.0220 CCI-000804 MEDIUM The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group. The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windo
    SV-9045r2_rule AD.0240 CCI-000366 MEDIUM The number of member accounts in privileged groups must not be excessive. Membership in the following Windows security groups assigns a high privilege level for AD functions: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders. When a large number of users are member
    SV-31557r2_rule DS00.3200_AD CCI-000366 MEDIUM Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups. Membership in certain default directory groups assigns a high privilege level for access to the directory. In AD, membership in the following groups enables high privileges relative to AD and the Windows OS: Domain Admins, Enterprise Admins, Schema Admins
    SV-9048r2_rule AD.0160 CCI-000366 MEDIUM The domain functional level must be Windows 2003 or higher. Non-vendor supported versions of AD are not permitted for use in DoD. Domain controllers using Windows NT and Windows 2000 are no longer supported or updated by the vendor. If Windows NT or Windows 2000 domain controllers are used in AD domains, the level
    SV-30992r2_rule DS00.3230_AD CCI-000366 MEDIUM Replication must be enabled and configured to occur at least daily. Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. In AD implementation using AD Sites, domain controllers defined to be in different AD Sites require Site l
    SV-31547r2_rule DS00.0160_AD CCI-000366 MEDIUM Directory data must be backed up at the required frequency. Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or malicious corruption. A failure to recover from the loss of directory data used in identification and aut
    SV-32179r2_rule AD.0151 CCI-000366 MEDIUM The Directory Service Restore Mode (DSRM) password must be changed at least annually. This is a tremendously powerful password which should be changed periodically. This password is unique to each DC and is used to logon to a DC when rebooting into the server recovery mode. With a weak or known password, anyone with local access to the D
    SV-32180r2_rule AD.9100 CCI-000366 LOW Security vulnerability reviews of the domain and/or forest in which the domain controller resides must be conducted at least annually. An AD domain controller is impacted by the AD environment created by the security configuration of the domain and forest in which the domain controller resides. A proper review of the AD environment requires checks at the domain controller, domain, and fo
    SV-32648r2_rule AD.0270 CCI-000366 MEDIUM Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the interal domain controller or forest can be compromised. ROD
    SV-47837r2_rule AD.0001 CCI-000366 HIGH Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. Only system administrator accounts used exclusively to ma
    SV-47838r2_rule AD.0002 CCI-000366 HIGH Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. The Domain Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. Only system administrator accounts used exclusively to manage
    SV-47839r2_rule AD.0003 CCI-000366 MEDIUM Administrators must have separate accounts specifically for managing domain member servers. Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system administrator accounts used exclusively to manage domain member servers may be members of an administrator
    SV-47840r2_rule AD.0004 CCI-000366 MEDIUM Administrators must have separate accounts specifically for managing domain workstations. Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system administrator accounts used exclusively to manage domain workstations may be members of an administrators
    SV-47841r2_rule AD.0005 CCI-000366 HIGH Delegation of privileged accounts must be prohibited. Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing privileged accounts to be trusted for delegation provides a means for privilege escalation from a compromised system.ECLP-1
    SV-47842r3_rule AD.MP.0001 CCI-001082 MEDIUM Only systems dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely. Only domain systems used exclusively to manage Active Directory (referred to as AD admin platforms) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privile
    SV-47843r2_rule AD.0007 CCI-001084 MEDIUM Dedicated systems used for managing Active Directory remotely must be blocked from Internet Access. A system used to manage Active Directory provides access to highly privileged areas of a domain. Such a system with Internet access may be exposed to numerous attacks and compromise the domain. Restricting Internet access for dedicated systems used to ma
    SV-47844r2_rule AD.0008 CCI-001941 MEDIUM Local administrator accounts on domain systems must not share the same password. Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharing the same password for local administrator accounts on domain systems will allow an attacker to move laterally and compromise mul
    SV-56469r2_rule AD.0009 CCI-000366 MEDIUM Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys for the EA/DA accounts to less secure user platforms when the other accounts are used. Having different certificates on one card do
    SV-56470r2_rule AD.0010 CCI-000199 MEDIUM Enterprise Admin (EA) and Domain Admin (DA) accounts that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days. When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enablin
    SV-56471r2_rule AD.0011 CCI-000199 MEDIUM Administrative accounts for critical servers, that require smart cards, must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days. When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enablin
    SV-56472r2_rule AD.0012 CCI-000199 MEDIUM Other important accounts (VIPS and other administrators) that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days. When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enablin
    SV-56473r2_rule AD.0013 CCI-000366 MEDIUM Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers. Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this is not possible, lateral movement from these servers must be mitigated within the forest. Having different domain accounts for adm
    SV-56531r2_rule AD.MP.0002 CCI-000366 MEDIUM Systems used to manage Active Directory (AD admin platforms) must be Windows 7, Windows Server 2008 R2, or later versions of Windows. AD admin platforms are used for highly privileged activities. The later versions of Windows offer significant security improvements over earlier versions of Windows. Windows 8.1 and Windows Server 2012 R2, or later, are preferred as they offer even bett
    SV-56532r2_rule AD.MP.0003 CCI-000366 MEDIUM Separate domain administrative accounts must be used to manage AD admin platforms from any domain accounts used on, or used to manage, non-AD admin platforms. AD admin platforms are used for highly privileged activities. The accounts that have administrative privileges on AD admin platforms must not be used on or used to manage any non-AD admin platforms. Otherwise, there would be a clear path for privilege
    SV-56533r2_rule AD.AU.0001 CCI-000366 MEDIUM Usage of administrative accounts must be monitored for suspicious and anomalous activity. Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse.ECAT-1
    SV-56534r2_rule AD.AU.0002 CCI-000366 MEDIUM Systems must be monitored for attempts to use local accounts to log on remotely from other systems. Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack.ECAT-1
    SV-56535r2_rule AD.AU.0003 CCI-000366 MEDIUM Systems must be monitored for remote desktop logons. Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstations. Monitoring for any Remote Desktop logins outside of expected activity can alert on suspicious behavior and anomalous accoun
    SV-56888r2_rule AD.MP.0004 CCI-001084 MEDIUM Communications from AD admin platforms must be blocked, except with the domain controllers being managed. AD admin platforms are used for highly privileged activities. Preventing communications to and from AD admin platforms, except with the domain controllers being managed, protects against an attacker's lateral movement from a compromised platform. Requir
    SV-56889r2_rule AD.0014 CCI-000199 MEDIUM Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days. NT hashes of passwords for accounts that are not changed regularly are susceptible to reuse by attackers using Pass-the-Hash. Windows service \ application account passwords are not typically changed for longer periods of time to ensure availability of t
    SV-67945r1_rule AD.0015 CCI-000366 MEDIUM Domain controllers must be blocked from Internet access. Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed to numerous attacks and compromise the domain. Restricting Internet access for domain controllers will aid in protecting these pr