ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency E. Access Requirements: Other Party (NetBIOS\FQDN) Access Requirements MEFN19 \ MEFN19.USN.MIL - NORTH users access personnel files in the MEFN19 domain. - MEFN users access inventory files in the NORTH domain. UNI91 - UNI91 (Solaris) users access inventory files in the NORTH domain. B.2.1.2 Example Trust Relationship Documentation - Forest Root Domain The following example documents trust relationships for a forest root domain that has established a bidirectional forest trust with another forest and an incoming forest trust with a DMZ-based forest. AD Trust Relationship Documentation A. Domain NetBIOS name:_VCFN______ Verified:_Jan 2006_ Fully Qualified Domain Name:__VCFN.DISA.MIL_____________ B. Classification:_Unclass____ C. MAC:_II_ Confidentiality:_Sensitive__ D. Trusts Defined: Type Other Party (NetBIOS\FQDN) MAC Classif. Direction Transitive Selective Forest AOFN21 \ AOFN21.DISA.MIL II Unclass Both N/A Yes Yes Forest VCDMZF \ VCDMZF.DISA.MIL II Unclass Incoming N/A N/A N/A E. Access Requirements: Other Party (NetBIOS\FQDN) Access Requirements AOFN21 \ AOFN21.DISA.MIL - VCFN users access Target Practice application hosted in AOFN21 forest. - AOFN21 users access color laser printers in VCFN forest. VCDMZF \ VCDMZF.DISA.MIL - VCDMZF is a DMZ forest that may be accessed by VCFN administrators. UNCLASSIFIED Auth SID Filtering B-4
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency APPENDIX C: VMS PROCESS GUIDANCE This appendix provides guidance for entering and accessing the asset information in VMS for the items covered by the Checklist. There are three review subjects covered in the Checklist: - Active Directory Implementation - This subject covers checks for AD Domain Controllers, AD Domains, and the AD Forest that make up an implementation of Active Directory. - Synchronization\Maintenance Application - This subject covers checks for an individual installation of an application used to perform synchronization or maintenance on one or more Active Directory implementations. - ADAM - This subject covers checks for an individual installation of ADAM as a directory service. To understand how to access the VMS data, it is helpful to know how the data is organized. The following table summarizes this VMS data organization. Review Subject Items Included VMS VMS Asset Data Organization Asset Type Active Directory AD Domain Controller Windows server OS Asset Posture Computing Implementation with Domain Controller Role AD Domain Active Directory Domain Asset Non-Computing AD Forest Active Directory Forest Asset Non-Computing Synch\Maint Application Synch\Maint Application Synch\Maint App Asset Posture Computing ADAM ADAM Instance ADAM Instance Asset Posture Computing Note: The path used to access asset data in the VMS application depends on the assigned role of the user: - System Administrators (SAs) use the Asset Finding Maint. item on the VMS menu, select the Assets / Findings item, and navigate to assets under the By Location branch. - Reviewers use the Asset Finding Maint. item on the VMS menu, select the Assets / Findings item, and navigate to assets under the Visit branch. Because this is the significant detail in which the procedures vary between SAs and Reviewers, a single set of procedures is defined here and variations are noted where relevant. C.1 AD Implementation Data - AD Domain Controller, AD Domain, AD Forest AD implementation data is expressed in VMS through three categories: - The AD Domain Controller category is not explicitly defined in VMS. Rather, to take advantage of the existing VMS data, the asset data for AD Domain Controllers is stored under assets that are defined with a Windows server OS Asset Posture and the Domain Controller Role. - AD Domain asset data is stored though the definition of an “Active Directory Domain” Non-Computing asset in VMS. - AD Forest asset data is stored though the definition of an “Active Directory Forest” Non-Computing asset in VMS. UNCLASSIFIED C-1
- Page 73 and 74: Active Directory Checklist, V1R1.2
- Page 75 and 76: Active Directory Checklist, V1R1.2
- Page 77 and 78: Active Directory Checklist, V1R1.2
- Page 79 and 80: Active Directory Checklist, V1R1.2
- Page 81 and 82: Active Directory Checklist, V1R1.2
- Page 83 and 84: Active Directory Checklist, V1R1.2
- Page 85 and 86: Active Directory Checklist, V1R1.2
- Page 87 and 88: Active Directory Checklist, V1R1.2
- Page 89 and 90: Active Directory Checklist, V1R1.2
- Page 91 and 92: Active Directory Checklist, V1R1.2
- Page 93 and 94: Active Directory Checklist, V1R1.2
- Page 95 and 96: Active Directory Checklist, V1R1.2
- Page 97 and 98: Active Directory Checklist, V1R1.2
- Page 99 and 100: Active Directory Checklist, V1R1.2
- Page 101 and 102: Active Directory Checklist, V1R1.2
- Page 103 and 104: Active Directory Checklist, V1R1.2
- Page 105 and 106: Active Directory Checklist, V1R1.2
- Page 107 and 108: Active Directory Checklist, V1R1.2
- Page 109 and 110: Active Directory Checklist, V1R1.2
- Page 111 and 112: Active Directory Checklist, V1R1.2
- Page 113 and 114: Active Directory Checklist, V1R1.2
- Page 115 and 116: Active Directory Checklist, V1R1.2
- Page 117 and 118: Active Directory Checklist, V1R1.2
- Page 119 and 120: Active Directory Checklist, V1R1.2
- Page 121 and 122: Active Directory Checklist, V1R1.2
- Page 123: Active Directory Checklist, V1R1.2
- Page 127 and 128: Active Directory Checklist, V1R1.2
- Page 129 and 130: Active Directory Checklist, V1R1.2
- Page 131 and 132: Active Directory Checklist, V1R1.2
- Page 133 and 134: Active Directory Checklist, V1R1.2
- Page 135 and 136: Active Directory Checklist, V1R1.2
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
E. Access Requirements:<br />
Other Party (NetBIOS\FQDN) Access Requirements<br />
MEFN19 \ MEFN19.USN.MIL - NORTH users access personnel files in the MEFN19 domain.<br />
- MEFN users access inventory files in the NORTH domain.<br />
UNI91 - UNI91 (Solaris) users access inventory files in the NORTH domain.<br />
B.2.1.2 Example Trust Relationship Documentation - Forest Root Domain<br />
The following example documents trust relationships for a forest root domain that has established a bidirectional forest trust with<br />
another forest and an incoming forest trust with a DMZ-based forest.<br />
AD Trust Relationship Documentation<br />
A. Domain NetBIOS name:_VCFN______ Verified:_Jan 2006_<br />
Fully Qualified Domain Name:__VCFN.DISA.MIL_____________<br />
B. Classification:_Unclass____<br />
C. MAC:_II_ Confidentiality:_Sensitive__<br />
D. Trusts Defined:<br />
Type Other Party (NetBIOS\FQDN) MAC Classif. Direction Transitive Selective<br />
Forest AOFN21 \ AOFN21.DISA.MIL II Unclass Both N/A Yes Yes<br />
Forest VCDMZF \ VCDMZF.DISA.MIL II Unclass Incoming N/A N/A N/A<br />
E. Access Requirements:<br />
Other Party (NetBIOS\FQDN) Access Requirements<br />
AOFN21 \ AOFN21.DISA.MIL - VCFN users access Target Practice application hosted in AOFN21 forest.<br />
- AOFN21 users access color laser printers in VCFN forest.<br />
VCDMZF \ VCDMZF.DISA.MIL - VCDMZF is a DMZ forest that may be accessed by VCFN administrators.<br />
UNCLASSIFIED<br />
Auth<br />
SID<br />
Filtering<br />
B-4