ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency B.1.2 Pre-Trip Documentation The SRR team members must make every attempt to obtain copies of the documents and procedures listed below prior to arriving on-site. The SRR team members work with the site POC to capture the required information to the fullest extent possible. Documents: a. Network diagram displaying AD architecture (forest hierarchy) including the location of Flexible Single-Master Operations (FSMO) domain controllers. The location of premise routers and any Intrusion Detection Systems should also be displayed. b. Password Policy c. List of accounts assigned to AD privileged groups including Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders d. List of accounts that are not members of the AD privileged groups, but do have (delegated) permission to create or change AD objects e. List of AD trust relationships, their characteristics, and the access requirement(s) that the trusts support f. Trust relationship documentation Procedures: a. Standard Operating Procedures (SOP) for data backup b. Supplemental INFOCON response procedures, including any AD trust-specific actions c. Configuration management procedures that apply to AD schema updates d. Disaster recovery procedures, including any AD-specific actions The SRR team members will obtain copies of all listed documentation and procedures for examination. The Team Lead or Reviewer should request the documentation from the site's POC in any one of the following formats, listed in the order of preference: - CD-ROM - Diskette - Signed, encrypted e-mail - Paper. UNCLASSIFIED B-2
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency B.2 AD Documentation Examples This section of the appendix provides examples of documentation that could be used to meet requirements for compliance with the Active Directory STIG. B.2.1 Trust Relationship Documentation The following subsections provide examples of documentation to satisfy trust relationship requirements. Note that some trust attributes are relevant only to specific configurations as follows: - Selective Authentication is not applicable (N/A) for realm trusts or any incoming trusts. - SID Filtering is not applicable (N/A) for realm trusts or any incoming trusts. B.2.1.1 Example Trust Relationship Documentation - Child Domain The following example documents trust relationships for a domain that has established two unidirectional external trusts with one other domain and a realm trust with a Kerberos domain. AD Trust Relationship Documentation A. Domain NetBIOS name:_NORTH____ Verified:_Mar 2006_ Fully Qualified Domain Name:__NORTH.AOFN21.DISA.MIL___________ B. Classification:_Unclass____ C. MAC:_II_ Confidentiality:_Sensitive__ D. Trusts Defined: Type Other Party (NetBIOS\FQDN) MAC Classif. Direction Transitive Selective External MEFN19 \ MEFN19.USN.MIL II Unclass Outgoing N/A Yes Yes External MEFN19 \ MEFN19.USN.MIL II Unclass Incoming N/A N/A N/A Realm UNI91 II Unclass Outgoing No N/A N/A UNCLASSIFIED Auth SID Filtering B-3
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72: Active Directory Checklist, V1R1.2
Page 121: Active Directory Checklist, V1R1.2
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?