ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
3. SYSTEM ADMINISTRATOR / INFORMATION ASSURANCE OFFICER<br />
INTERVIEW QUESTIONS<br />
This section of the Checklist provides questions that must be asked of the System Administrator<br />
(SA) or the Information Assurance Officer (IAO) in an interview during the review. The<br />
responses to these questions may be recorded on a copy of the Review Results Report in<br />
Section 2.<br />
3.1 Review Process Information<br />
The text in this section identifies a single individual, by role, to respond to the interview<br />
questions. In most cases this is the IAM or IAO. However, it is understood that in many cases the<br />
information will come from an SA or application SA.<br />
The following items should be available to accelerate the interview process:<br />
- Locations of AD forest root FSMO domain controllers<br />
[This includes the Windows server(s) holding the Domain Naming Master, Schema<br />
Master, PDC Emulator, RID Master, and Infrastructure Master FSMO roles.]<br />
- Locations of AD domain controllers and AD sites, relative to the local Enclave network<br />
boundaries<br />
- Lists of accounts assigned to AD privileged groups (Domain Admins, Enterprise Admins,<br />
Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders)<br />
- List of accounts with the right to create AD objects (e.g., accounts, printers), but that are<br />
not members of the built-in AD privileged groups.<br />
- Backup and continuity of operations or disaster recovery documents related to the<br />
Windows domain controllers<br />
- Information about specific directory synchronization and maintenance applications that<br />
are implemented. This includes products such as CPS Systems SimpleSync, Microsoft<br />
Identity Integration Server (MIIS), and Microsoft Identity Integration Feature Pack<br />
(IIFP).<br />
Please note that it would be significantly more efficient to gather this information prior to the<br />
start of a review. Appendix B Section B.1, Pre-Trip Information Gathering, provides lists of<br />
interview questions and documentation items that should be used in advance to assemble the<br />
required information.<br />
Please reference Appendix D, Directory Information Gathering, for tools and procedures that can<br />
be used to gather some of the information required for a review. In particular, Section D.1.3,<br />
Identifying Holders of FSMO Roles, can be used to gather the current FSMO information for the<br />
AD environment.<br />
UNCLASSIFIED<br />
3-1