ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency GPT (SYSVOL) Directories Component Object Account Name Type Access GPT …\SYSVOL Administrators Allow Full Control parent directory Authenticated Users Allow Read, Read & Execute, List Folder Contents CREATOR OWNER [None on dir.] Server Operators Allow Read, Read & Execute, List Folder Contents SYSTEM Allow Full Control GPT …\SYSVOL\ Administrators Allow Full Control policies directory domain\Policies Authenticated Users Allow Read, Read & Execute, List Folder Contents CREATOR OWNER [None on dir.] Group Policy Creator Allow Read, Read & Owners Execute, List Folder Contents, Modify, Write Server Operators Allow Read, Read & Execute, List Folder Contents SYSTEM Allow Full Control A.1.2 Windows Support Tools Permissions Object Account Name Type Access …\%ProgramFiles%\ Support Tools\ Administrators SYSTEM [Other IAOauthorized groups] A.1.3 Synchronization\Maintenance Software Permissions UNCLASSIFIED Allow Allow Allow Component Account Name Type Access Synch\Maint Software and Config Files Administrators [App account] [App SAs] SYSTEM Allow Allow Allow Allow Full Control Full Control Read, Execute With propagation Full Control Read, Execute Full Control Full Control A-2
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency A.1.4 Synchronization\Maintenance Data Permissions Component Account Name Type Access Synch\Maint Data Files Administrators [App account] [App SAs] [IAO-approved users] SYSTEM UNCLASSIFIED Allow Allow Allow Allow Allow A.1.5 Synchronization\Maintenance Audit Data Permissions Component Account Name Type Access Synch\Maint audit data A.2 Registry Key Permissions Administrators [App account] [App SAs] [Auditors group] SYSTEM Allow Allow Allow Allow Allow Full Control Full Control Full Control Read, Execute Full Control Read, Execute Full Control Read, Execute Full Control Full Control At this time there are no specific registry key permission checks for compliance with the Active Directory STIG. It is assumed that the registry key permission checks in the applicable Windows Security Checklist have been applied. A.3 AD Object Permissions The permissions in this section refer to the ACL of the specified AD database objects. Notes: It is generally acceptable for an object’s access control to be more restrictive than the settings specified in this document. Group Policy Objects Object Account Name Type Access [Group Policy Administrators Allow Full Control - e.g., Default Domain] Creator Owner Allow Full Control SYSTEM Allow Full Control Authenticated Users Allow Read [or other user groups] Apply Group Policy Note: The Authenticated Users group, other locally created user groups, and individual users may have the Read and Apply Group Policy permissions set to Allow or Deny. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO. A-3
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66: Active Directory Checklist, V1R1.2
Page 115: Active Directory Checklist, V1R1.2
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Create successful ePaper yourself

Delete template?

Save as template?