ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0290 Synch\Maint Audit Data Access Permissions STIG ID \ V-Key DS05.0290 \ V0011792 Severity Cat II Short Name Synch\Maint Audit Data Access Permissions IA Controls ECTP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.5 Long Name: Directory synchronization or maintenance audit data files do not have proper access permissions (ACLs). Checks: Note: This check is Not Applicable if the audit data is collected in a Windows Event Log. [Windows Event Log access control is reviewed in the Windows Checklist.] • With the assistance of the application SA, determine the directories containing audit data files for the synchronization or maintenance application. • Using the locations determined, compare the ACLs of the directories to the specifications in Checklist appendix A.1.5. • If the actual permissions are not at least as restrictive as those in the appendix, then this is a Finding. UNCLASSIFIED 5-40
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0300 Synch\Maint Application Account Membership STIG ID \ V-Key DS05.0300 \ V0011793 Severity Cat II Short Name Synch\Maint Application Account Membership IA Controls ECLP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.6 Long Name: An account used for a directory synchronization or maintenance application is a member of a Windows built-in administrative group. Checks: • With the assistance of the application SA, identify the application account(s) used to access directory data for any synchronization or maintenance application. [Retain this account information for use in a subsequent check.] • For *each* application account that is a local (*not* AD domain) user account, - At a command line prompt enter: “net user account” where account is the synch\maint application account. - Note the Full Name and Group Membership information. • For *each* application account that is a domain user account, - At a command line prompt enter: “net user account /domain” where account is the synch\maint application account. - Note the Full Name and Group Membership information. • If any synchronization or maintenance application account is a member of the Administrators, Domain Admins, Enterprise Admins, or Schema Admins groups, then this is a finding. UNCLASSIFIED 5-41
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60: Active Directory Checklist, V1R1.2
Page 109: Active Directory Checklist, V1R1.2
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?