ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
DS05.0220 Synch\Maint PKI Certificate Source<br />
STIG ID \ V-Key DS05.0220 \ V0011783<br />
Severity Cat II<br />
Short Name Synch\Maint PKI Certificate Source<br />
IA Controls IAKM-1, IAKM-2, IATS-1, IATS-2<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.2<br />
Long Name: PKI certificates used in a directory synchronization or maintenance application<br />
are not issued by the DoD PKI.<br />
Checks:<br />
• With the assistance of the application SA, display all PKI certificate(s) being used<br />
by the synchronization or maintenance application.<br />
- For applications accessing directory data through LDAPS, this would include<br />
the certificate installed on the directory server.<br />
-- For MIIS\IIFP or SimpleSync accessing AD, this would include the domain<br />
controller certificate.<br />
- For applications accessing directory data through HTTPS, this would include the<br />
certificate installed on the web server that provides DSML access.<br />
• If any PKI certificate being used in a synchronization or maintenance function is<br />
not issued by the DoD PKI and there is no written plan to implement DoD PKI<br />
certificates (per the note below), then this is a Finding.<br />
Note: Prior to DoD PKI support for Windows domain controller certificates, some<br />
Components established alternate (Microsoft Windows-based) Certificate Authorities<br />
(CAs) to provide certificates. As of December 2005, Windows domain controller<br />
certificates are available from the DoD PKI. Per guidance in JTF-GNO<br />
Communications Tasking Order (CTO) 06-02, a plan to implement DoD PKI<br />
certificates must be established no later than 31 July 2006.<br />
UNCLASSIFIED<br />
5-32