ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency Organizational Unit (OU) Objects Object Account Name Type Access [Organizational Unit Administrators Allow Full Control - e.g., Domain Creator Owner Allow Full Control Controllers] SYSTEM Allow Full Control Authenticated Users [or other user groups] Allow Read If an IAO-approved distributed administration model [help desk or other user support staff] is implemented, permissions above Read may be allowed for groups documented by the IAO. A.4 AD Object Audit Settings The audit settings in this section refer to the settings of the specified AD database objects. Notes: It is generally acceptable for an object’s audit settings to be more inclusive than the settings specified in this document. Group Policy Objects [Includes Site, Default Domain, and OU GPOs] Type Account Access Scope Fail Everyone [All access types] Object and all child objects Success Everyone Modify Permissions Write All Properties groupPolicyContainer objects Note: The best method of applying audit settings for all the Group Policy Objects is by configuring the settings on the Policies container (within the domain’s System container) and specifying inheritance. Domain Object Type Account Access Scope Fail Everyone [All access types] Domain object only Success Everyone Write All Properties Modify Permissions Modify Owner Domain object only Success Administrators All Extended Rights Domain object only Success Domain Users All Extended Rights Domain object only Infrastructure Object Type Account Access Scope Fail Everyone [All access types] Infrastructure object only Success Everyone All Extended Rights Write All Properties Infrastructure object only UNCLASSIFIED A-4
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency AdminSDHolder Object Type Account Access Scope Fail Everyone [All access types] AdminSDHolder object only Success Everyone Modify Permissions Modify Owner Write All Properties AdminSDHolder object only RID Manager$ Object Type Account Access Scope Fail Everyone [All access types] RID Manager$ object only Success Everyone All Extended Rights Write All Properties RID Manager$ object only Domain Controllers OU Object Type Account Access Scope Fail Everyone [All access types] Domain Controllers OU and Success Everyone Modify Permissions Modify Owner Create All Child Objects Delete Delete All Child Objects Delete Subtree UNCLASSIFIED all child objects Domain Controllers OU only Success Everyone Write All Properties Domain Controllers OU and all child objects A-5
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68: Active Directory Checklist, V1R1.2
Page 117: Active Directory Checklist, V1R1.2
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Create successful ePaper yourself

Delete template?

Save as template?