ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0110 AD Inter-Enclave VPN Usage STIG ID \ V-Key DS10.0110 \ V0008522 Severity Cat II Short Name AD Inter-Enclave VPN Usage IA Controls DCPP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.1.3 DODI 8551.1 Long Name: An AD implementation (domains or forest) that spans enclave boundaries does not use a VPN to protect AD network traffic. Checks: • Interview the IAM. • With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) to determine if domain controllers for the AD forest are located in multiple enclaves. - The object is to determine if AD network traffic is traversing enclave network boundaries. • If domain controllers are *not* located in multiple enclaves, then this check is Not Applicable. • If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the AD network traffic (replication, user logon, AD queries, etc.). [Retain this location and VPN information for use in a subsequent check.] • If a VPN solution is not used to transport AD network traffic across enclave boundaries, then this is a Finding. Note: This check and the associated requirement are based on DoD ports and protocols restrictions stated in DoD Instruction 8551.1 and linked documents. UNCLASSIFIED 3-6
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0300 IDS Visibility of AD VPN Data Transport STIG ID \ V-Key DS10.0300 \ V0008523 Severity Cat II Short Name IDS Visibility of AD VPN Data Transport IA Controls EBVC-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.4 Long Name: The VPN used to protect AD network traffic does not support visibility by an IDS. Checks: • Interview the IAO. • If the response to check DS10.0110 indicates that domain controllers are *not* located in multiple enclaves, then this check is Not Applicable. • If the response to check DS10.0110 indicates that domain controllers *are* located in multiple enclaves and a VPN is *not* used, then this check is Not Applicable. • If the response to check DS10.0110 indicates that domain controllers *are* located in multiple enclaves and a VPN *is* used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS. • If the AD network traffic is not visible to a network or host IDS, then this is a Finding. UNCLASSIFIED 3-7
Page 1 and 2: ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4: Active Directory Checklist, V1R1.2
Page 41: Active Directory Checklist, V1R1.2
Page 93 and 94:
Active Directory Checklist, V1R1.2
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?