ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
Organizational Unit (OU) Objects<br />
Object Account Name Type Access<br />
[Organizational Unit Administrators Allow Full Control<br />
- e.g., Domain<br />
Creator Owner Allow Full Control<br />
Controllers]<br />
SYSTEM<br />
Allow Full Control<br />
Authenticated Users<br />
[or other user groups]<br />
Allow Read<br />
If an IAO-approved distributed administration model [help desk or other user support staff] is<br />
implemented, permissions above Read may be allowed for groups documented by the IAO.<br />
A.4 AD Object Audit Settings<br />
The audit settings in this section refer to the settings of the specified AD database objects.<br />
Notes: It is generally acceptable for an object’s audit settings to be more inclusive than the<br />
settings specified in this document.<br />
Group Policy Objects [Includes Site, Default Domain, and OU GPOs]<br />
Type Account Access Scope<br />
Fail Everyone [All access types] Object and all child objects<br />
Success Everyone Modify Permissions<br />
Write All Properties<br />
groupPolicyContainer objects<br />
Note: The best method of applying audit settings for all the Group Policy Objects is by<br />
configuring the settings on the Policies container (within the domain’s System container) and<br />
specifying inheritance.<br />
Domain Object<br />
Type Account Access Scope<br />
Fail Everyone [All access types] Domain object only<br />
Success Everyone Write All Properties<br />
Modify Permissions<br />
Modify Owner<br />
Domain object only<br />
Success Administrators All Extended Rights Domain object only<br />
Success Domain Users All Extended Rights Domain object only<br />
Infrastructure Object<br />
Type Account Access Scope<br />
Fail Everyone [All access types] Infrastructure object only<br />
Success Everyone All Extended Rights<br />
Write All Properties<br />
Infrastructure object only<br />
UNCLASSIFIED<br />
A-4