DISA STIG • Directory Services
Active Directory Domain
| Vuln ID | STIG ID | CAT | Finding | Responsibility |
|---|---|---|---|---|
| V-243466 | AD.0001 | CAT I | Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. | — |
| V-243467 | AD.0002 | CAT I | Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. | — |
| V-243470 | AD.0005 | CAT I | Delegation of privileged accounts must be prohibited. | — |
| V-243482 | AD.0180 | CAT I | Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. | — |
| V-243483 | AD.0181 | CAT I | A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. | — |
| V-243468 | AD.0003 | CAT II | Administrators must have separate accounts specifically for managing domain member servers. | — |
| V-243469 | AD.0004 | CAT II | Administrators must have separate accounts specifically for managing domain workstations. | — |
| V-243471 | AD.0008 | CAT II | Local administrator accounts on domain systems must not share the same password. | — |
| V-243472 | AD.0009 | CAT II | Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. | — |
| V-243473 | AD.0013 | CAT II | Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers. | — |
| V-243475 | AD.0015 | CAT II | Domain controllers must be blocked from Internet access. | — |
| V-243476 | AD.0016 | CAT II | All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days. | — |
| V-243477 | AD.0017 | CAT II | User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher. | — |
| V-243478 | AD.0018 | CAT II | Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation. | — |
| V-243479 | AD.0151 | CAT II | The Directory Service Restore Mode (DSRM) passwords must be changed on each Domain Controller (DC) at least annually. | — |
| V-243480 | AD.0160 | CAT II | The domain functional level must be at a Windows Server version still supported by Microsoft. | — |
| V-243481 | AD.0170 | CAT II | Access to need-to-know information must be restricted to an authorized community of interest. | — |
| V-243484 | AD.0190 | CAT II | Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. | — |
| V-243485 | AD.0200 | CAT II | Selective Authentication must be enabled on outgoing forest trusts. | — |
| V-269097 | AD.0205 | CAT II | Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS). | — |
| V-243486 | AD.0220 | CAT II | The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group. | — |
| V-243487 | AD.0240 | CAT II | Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited. | — |
| V-243489 | AD.0270 | CAT II | Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. | — |
| V-243490 | AD.AU.0001 | CAT II | Usage of administrative accounts must be monitored for suspicious and anomalous activity. | — |
| V-243491 | AD.AU.0002 | CAT II | Systems must be monitored for attempts to use local accounts to log on remotely from other systems. | — |
| V-243492 | AD.AU.0003 | CAT II | Systems must be monitored for remote desktop logons. | — |
| V-243493 | DS00.0160_AD | CAT II | Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly. | — |
| V-243495 | DS00.1140_AD | CAT II | A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. | — |
| V-243496 | DS00.3200_AD | CAT II | Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups. | — |
| V-243497 | DS00.3230_AD | CAT II | Inter-site replication must be enabled and configured to occur at least daily. | — |
| V-243498 | DS00.4140_AD | CAT II | If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). | — |
| V-243500 | DS00.6140_AD | CAT II | Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high. | — |
| V-243488 | AD.0260 | CAT III | User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. | — |
| V-243494 | DS00.1120_AD | CAT III | Each cross-directory authentication configuration must be documented. | — |
| V-243499 | DS00.6120_AD | CAT III | Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high. | — |
| V-243501 | DS00.7100_AD | CAT III | The impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented. | — |
No rules match your search.