ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency Organizational Unit (OU) Objects Object Account Name Type Access [Organizational Unit Administrators Allow Full Control - e.g., Domain Creator Owner Allow Full Control Controllers] SYSTEM Allow Full Control Authenticated Users [or other user groups] Allow Read If an IAO-approved distributed administration model [help desk or other user support staff] is implemented, permissions above Read may be allowed for groups documented by the IAO. A.4 AD Object Audit Settings The audit settings in this section refer to the settings of the specified AD database objects. Notes: It is generally acceptable for an object’s audit settings to be more inclusive than the settings specified in this document. Group Policy Objects [Includes Site, Default Domain, and OU GPOs] Type Account Access Scope Fail Everyone [All access types] Object and all child objects Success Everyone Modify Permissions Write All Properties groupPolicyContainer objects Note: The best method of applying audit settings for all the Group Policy Objects is by configuring the settings on the Policies container (within the domain’s System container) and specifying inheritance. Domain Object Type Account Access Scope Fail Everyone [All access types] Domain object only Success Everyone Write All Properties Modify Permissions Modify Owner Domain object only Success Administrators All Extended Rights Domain object only Success Domain Users All Extended Rights Domain object only Infrastructure Object Type Account Access Scope Fail Everyone [All access types] Infrastructure object only Success Everyone All Extended Rights Write All Properties Infrastructure object only UNCLASSIFIED A-4
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency AdminSDHolder Object Type Account Access Scope Fail Everyone [All access types] AdminSDHolder object only Success Everyone Modify Permissions Modify Owner Write All Properties AdminSDHolder object only RID Manager$ Object Type Account Access Scope Fail Everyone [All access types] RID Manager$ object only Success Everyone All Extended Rights Write All Properties RID Manager$ object only Domain Controllers OU Object Type Account Access Scope Fail Everyone [All access types] Domain Controllers OU and Success Everyone Modify Permissions Modify Owner Create All Child Objects Delete Delete All Child Objects Delete Subtree UNCLASSIFIED all child objects Domain Controllers OU only Success Everyone Write All Properties Domain Controllers OU and all child objects A-5
- Page 67 and 68: Active Directory Checklist, V1R1.2
- Page 69 and 70: Active Directory Checklist, V1R1.2
- Page 71 and 72: Active Directory Checklist, V1R1.2
- Page 73 and 74: Active Directory Checklist, V1R1.2
- Page 75 and 76: Active Directory Checklist, V1R1.2
- Page 77 and 78: Active Directory Checklist, V1R1.2
- Page 79 and 80: Active Directory Checklist, V1R1.2
- Page 81 and 82: Active Directory Checklist, V1R1.2
- Page 83 and 84: Active Directory Checklist, V1R1.2
- Page 85 and 86: Active Directory Checklist, V1R1.2
- Page 87 and 88: Active Directory Checklist, V1R1.2
- Page 89 and 90: Active Directory Checklist, V1R1.2
- Page 91 and 92: Active Directory Checklist, V1R1.2
- Page 93 and 94: Active Directory Checklist, V1R1.2
- Page 95 and 96: Active Directory Checklist, V1R1.2
- Page 97 and 98: Active Directory Checklist, V1R1.2
- Page 99 and 100: Active Directory Checklist, V1R1.2
- Page 101 and 102: Active Directory Checklist, V1R1.2
- Page 103 and 104: Active Directory Checklist, V1R1.2
- Page 105 and 106: Active Directory Checklist, V1R1.2
- Page 107 and 108: Active Directory Checklist, V1R1.2
- Page 109 and 110: Active Directory Checklist, V1R1.2
- Page 111 and 112: Active Directory Checklist, V1R1.2
- Page 113 and 114: Active Directory Checklist, V1R1.2
- Page 115 and 116: Active Directory Checklist, V1R1.2
- Page 117: Active Directory Checklist, V1R1.2
- Page 121 and 122: Active Directory Checklist, V1R1.2
- Page 123 and 124: Active Directory Checklist, V1R1.2
- Page 125 and 126: Active Directory Checklist, V1R1.2
- Page 127 and 128: Active Directory Checklist, V1R1.2
- Page 129 and 130: Active Directory Checklist, V1R1.2
- Page 131 and 132: Active Directory Checklist, V1R1.2
- Page 133 and 134: Active Directory Checklist, V1R1.2
- Page 135 and 136: Active Directory Checklist, V1R1.2
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
AdminSDHolder Object<br />
Type Account Access Scope<br />
Fail Everyone [All access types] AdminSDHolder object only<br />
Success Everyone Modify Permissions<br />
Modify Owner<br />
Write All Properties<br />
AdminSDHolder object only<br />
RID Manager$ Object<br />
Type Account Access Scope<br />
Fail Everyone [All access types] RID Manager$ object only<br />
Success Everyone All Extended Rights<br />
Write All Properties<br />
RID Manager$ object only<br />
Domain Controllers OU Object<br />
Type Account Access Scope<br />
Fail Everyone [All access types] Domain Controllers OU and<br />
Success Everyone Modify Permissions<br />
Modify Owner<br />
Create All Child Objects<br />
Delete<br />
Delete All Child Objects<br />
Delete Subtree<br />
UNCLASSIFIED<br />
all child objects<br />
Domain Controllers OU only<br />
Success Everyone Write All Properties Domain Controllers OU<br />
and all child objects<br />
A-5