ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Active Directory Checklist, V1R1.2 Field Security Operations
22 September 2006 Defense Information Systems Agency
DS05.0240 Synch\Maint Aggregate Data File Encryption
STIG ID \ V-Key DS05.0240 \ V0011789
Severity Cat II
Short Name Synch\Maint Aggregate Data File Encryption
IA Controls ECCR-1, ECCR-2
MAC /Conf 1-CS, 2-CS, 3-CS
References AD STIG 2.3.3.3
Long Name: A directory synchronization or maintenance data file that contains a substantial
aggregate of the directory data for an entire geographic command is not
encrypted.
Checks:
• With the assistance of the application SA, determine the geographic scope of the
data in the synchronization or maintenance data files in the directories obtained in
check DS05.0200. Specifically, determine if the data contains directory
information for an *entire* geographic command such as DISA CONUS, DISA
EUROPE, or DISA PACIFIC or for *all* members of a Service or other
Component.
• If the synchronization or maintenance data files do not contain substantial
aggregates, then this check is Not Applicable.
• If any synchronization or maintenance data file does contain a substantial
aggregate, determine with the assistance of the application SA if the file is
encrypted.
- The use of a text editor to attempt to view the encrypted file or a Windows
directory display indicating the file has the encrypted attribute can be used.
• If any synchronization or maintenance data file containing a substantial aggregate
is not encrypted, then this is a Finding.
Note: This check is used to determine only *if* file encryption is used. Check
DS05.0120 would be applied to determine if the implemented encryption is FIPS
140-2 validated.
UNCLASSIFIED
5-38