ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency This page intentionally blank. UNCLASSIFIED 2-26
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency 3. SYSTEM ADMINISTRATOR / INFORMATION ASSURANCE OFFICER INTERVIEW QUESTIONS This section of the Checklist provides questions that must be asked of the System Administrator (SA) or the Information Assurance Officer (IAO) in an interview during the review. The responses to these questions may be recorded on a copy of the Review Results Report in Section 2. 3.1 Review Process Information The text in this section identifies a single individual, by role, to respond to the interview questions. In most cases this is the IAM or IAO. However, it is understood that in many cases the information will come from an SA or application SA. The following items should be available to accelerate the interview process: - Locations of AD forest root FSMO domain controllers [This includes the Windows server(s) holding the Domain Naming Master, Schema Master, PDC Emulator, RID Master, and Infrastructure Master FSMO roles.] - Locations of AD domain controllers and AD sites, relative to the local Enclave network boundaries - Lists of accounts assigned to AD privileged groups (Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders) - List of accounts with the right to create AD objects (e.g., accounts, printers), but that are not members of the built-in AD privileged groups. - Backup and continuity of operations or disaster recovery documents related to the Windows domain controllers - Information about specific directory synchronization and maintenance applications that are implemented. This includes products such as CPS Systems SimpleSync, Microsoft Identity Integration Server (MIIS), and Microsoft Identity Integration Feature Pack (IIFP). Please note that it would be significantly more efficient to gather this information prior to the start of a review. Appendix B Section B.1, Pre-Trip Information Gathering, provides lists of interview questions and documentation items that should be used in advance to assemble the required information. Please reference Appendix D, Directory Information Gathering, for tools and procedures that can be used to gather some of the information required for a review. In particular, Section D.1.3, Identifying Holders of FSMO Roles, can be used to gather the current FSMO information for the AD environment. UNCLASSIFIED 3-1
- Page 1 and 2: ACTIVE DIRECTORY SECURITY CHECKLIST
- Page 3 and 4: Active Directory Checklist, V1R1.2
- Page 5 and 6: Active Directory Checklist, V1R1.2
- Page 7 and 8: Active Directory Checklist, V1R1.2
- Page 9 and 10: Active Directory Checklist, V1R1.2
- Page 11 and 12: Active Directory Checklist, V1R1.2
- Page 13 and 14: Active Directory Checklist, V1R1.2
- Page 15 and 16: Active Directory Checklist, V1R1.2
- Page 17 and 18: Active Directory Checklist, V1R1.2
- Page 19 and 20: Active Directory Checklist, V1R1.2
- Page 21 and 22: Active Directory Checklist, V1R1.2
- Page 23 and 24: Active Directory Checklist, V1R1.2
- Page 25 and 26: Active Directory Checklist, V1R1.2
- Page 27 and 28: Active Directory Checklist, V1R1.2
- Page 29 and 30: Active Directory Checklist, V1R1.2
- Page 31 and 32: Active Directory Checklist, V1R1.2
- Page 33 and 34: Active Directory Checklist, V1R1.2
- Page 35: Active Directory Checklist, V1R1.2
- Page 39 and 40: Active Directory Checklist, V1R1.2
- Page 41 and 42: Active Directory Checklist, V1R1.2
- Page 43 and 44: Active Directory Checklist, V1R1.2
- Page 45 and 46: Active Directory Checklist, V1R1.2
- Page 47 and 48: Active Directory Checklist, V1R1.2
- Page 49 and 50: Active Directory Checklist, V1R1.2
- Page 51 and 52: Active Directory Checklist, V1R1.2
- Page 53 and 54: Active Directory Checklist, V1R1.2
- Page 55 and 56: Active Directory Checklist, V1R1.2
- Page 57 and 58: Active Directory Checklist, V1R1.2
- Page 59 and 60: Active Directory Checklist, V1R1.2
- Page 61 and 62: Active Directory Checklist, V1R1.2
- Page 63 and 64: Active Directory Checklist, V1R1.2
- Page 65 and 66: Active Directory Checklist, V1R1.2
- Page 67 and 68: Active Directory Checklist, V1R1.2
- Page 69 and 70: Active Directory Checklist, V1R1.2
- Page 71 and 72: Active Directory Checklist, V1R1.2
- Page 73 and 74: Active Directory Checklist, V1R1.2
- Page 75 and 76: Active Directory Checklist, V1R1.2
- Page 77 and 78: Active Directory Checklist, V1R1.2
- Page 79 and 80: Active Directory Checklist, V1R1.2
- Page 81 and 82: Active Directory Checklist, V1R1.2
- Page 83 and 84: Active Directory Checklist, V1R1.2
- Page 85 and 86: Active Directory Checklist, V1R1.2
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
This page intentionally blank.<br />
UNCLASSIFIED<br />
2-26