ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0290 Synch\Maint Audit Data Access Permissions STIG ID \ V-Key DS05.0290 \ V0011792 Severity Cat II Short Name Synch\Maint Audit Data Access Permissions IA Controls ECTP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.5 Long Name: Directory synchronization or maintenance audit data files do not have proper access permissions (ACLs). Checks: Note: This check is Not Applicable if the audit data is collected in a Windows Event Log. [Windows Event Log access control is reviewed in the Windows Checklist.] • With the assistance of the application SA, determine the directories containing audit data files for the synchronization or maintenance application. • Using the locations determined, compare the ACLs of the directories to the specifications in Checklist appendix A.1.5. • If the actual permissions are not at least as restrictive as those in the appendix, then this is a Finding. UNCLASSIFIED 5-40
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0300 Synch\Maint Application Account Membership STIG ID \ V-Key DS05.0300 \ V0011793 Severity Cat II Short Name Synch\Maint Application Account Membership IA Controls ECLP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.6 Long Name: An account used for a directory synchronization or maintenance application is a member of a Windows built-in administrative group. Checks: • With the assistance of the application SA, identify the application account(s) used to access directory data for any synchronization or maintenance application. [Retain this account information for use in a subsequent check.] • For *each* application account that is a local (*not* AD domain) user account, - At a command line prompt enter: “net user account” where account is the synch\maint application account. - Note the Full Name and Group Membership information. • For *each* application account that is a domain user account, - At a command line prompt enter: “net user account /domain” where account is the synch\maint application account. - Note the Full Name and Group Membership information. • If any synchronization or maintenance application account is a member of the Administrators, Domain Admins, Enterprise Admins, or Schema Admins groups, then this is a finding. UNCLASSIFIED 5-41
- Page 59 and 60: Active Directory Checklist, V1R1.2
- Page 61 and 62: Active Directory Checklist, V1R1.2
- Page 63 and 64: Active Directory Checklist, V1R1.2
- Page 65 and 66: Active Directory Checklist, V1R1.2
- Page 67 and 68: Active Directory Checklist, V1R1.2
- Page 69 and 70: Active Directory Checklist, V1R1.2
- Page 71 and 72: Active Directory Checklist, V1R1.2
- Page 73 and 74: Active Directory Checklist, V1R1.2
- Page 75 and 76: Active Directory Checklist, V1R1.2
- Page 77 and 78: Active Directory Checklist, V1R1.2
- Page 79 and 80: Active Directory Checklist, V1R1.2
- Page 81 and 82: Active Directory Checklist, V1R1.2
- Page 83 and 84: Active Directory Checklist, V1R1.2
- Page 85 and 86: Active Directory Checklist, V1R1.2
- Page 87 and 88: Active Directory Checklist, V1R1.2
- Page 89 and 90: Active Directory Checklist, V1R1.2
- Page 91 and 92: Active Directory Checklist, V1R1.2
- Page 93 and 94: Active Directory Checklist, V1R1.2
- Page 95 and 96: Active Directory Checklist, V1R1.2
- Page 97 and 98: Active Directory Checklist, V1R1.2
- Page 99 and 100: Active Directory Checklist, V1R1.2
- Page 101 and 102: Active Directory Checklist, V1R1.2
- Page 103 and 104: Active Directory Checklist, V1R1.2
- Page 105 and 106: Active Directory Checklist, V1R1.2
- Page 107 and 108: Active Directory Checklist, V1R1.2
- Page 109: Active Directory Checklist, V1R1.2
- Page 113 and 114: Active Directory Checklist, V1R1.2
- Page 115 and 116: Active Directory Checklist, V1R1.2
- Page 117 and 118: Active Directory Checklist, V1R1.2
- Page 119 and 120: Active Directory Checklist, V1R1.2
- Page 121 and 122: Active Directory Checklist, V1R1.2
- Page 123 and 124: Active Directory Checklist, V1R1.2
- Page 125 and 126: Active Directory Checklist, V1R1.2
- Page 127 and 128: Active Directory Checklist, V1R1.2
- Page 129 and 130: Active Directory Checklist, V1R1.2
- Page 131 and 132: Active Directory Checklist, V1R1.2
- Page 133 and 134: Active Directory Checklist, V1R1.2
- Page 135 and 136: Active Directory Checklist, V1R1.2
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
DS05.0290 Synch\Maint Audit Data Access Permissions<br />
STIG ID \ V-Key DS05.0290 \ V0011792<br />
Severity Cat II<br />
Short Name Synch\Maint Audit Data Access Permissions<br />
IA Controls ECTP-1<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.3.5<br />
Long Name: Directory synchronization or maintenance audit data files do not have proper<br />
access permissions (ACLs).<br />
Checks:<br />
Note: This check is Not Applicable if the audit data is collected in a Windows Event<br />
Log. [Windows Event Log access control is reviewed in the Windows Checklist.]<br />
• With the assistance of the application SA, determine the directories containing<br />
audit data files for the synchronization or maintenance application.<br />
• Using the locations determined, compare the ACLs of the directories to the<br />
specifications in Checklist appendix A.1.5.<br />
• If the actual permissions are not at least as restrictive as those in the appendix,<br />
then this is a Finding.<br />
UNCLASSIFIED<br />
5-40