ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

19.07.2013 Views
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0110 AD Inter-Enclave VPN Usage STIG ID \ V-Key DS10.0110 \ V0008522 Severity Cat II Short Name AD Inter-Enclave VPN Usage IA Controls DCPP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.1.3 DODI 8551.1 Long Name: An AD implementation (domains or forest) that spans enclave boundaries does not use a VPN to protect AD network traffic. Checks: • Interview the IAM. • With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) to determine if domain controllers for the AD forest are located in multiple enclaves. - The object is to determine if AD network traffic is traversing enclave network boundaries. • If domain controllers are *not* located in multiple enclaves, then this check is Not Applicable. • If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the AD network traffic (replication, user logon, AD queries, etc.). [Retain this location and VPN information for use in a subsequent check.] • If a VPN solution is not used to transport AD network traffic across enclave boundaries, then this is a Finding. Note: This check and the associated requirement are based on DoD ports and protocols restrictions stated in DoD Instruction 8551.1 and linked documents. UNCLASSIFIED 3-6

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0300 IDS Visibility of AD VPN Data Transport STIG ID \ V-Key DS10.0300 \ V0008523 Severity Cat II Short Name IDS Visibility of AD VPN Data Transport IA Controls EBVC-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.4 Long Name: The VPN used to protect AD network traffic does not support visibility by an IDS. Checks: • Interview the IAO. • If the response to check DS10.0110 indicates that domain controllers are *not* located in multiple enclaves, then this check is Not Applicable. • If the response to check DS10.0110 indicates that domain controllers *are* located in multiple enclaves and a VPN is *not* used, then this check is Not Applicable. • If the response to check DS10.0110 indicates that domain controllers *are* located in multiple enclaves and a VPN *is* used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS. • If the AD network traffic is not visible to a network or host IDS, then this is a Finding. UNCLASSIFIED 3-7

Page 1 and 2: ACTIVE DIRECTORY SECURITY CHECKLIST

Page 3 and 4: Active Directory Checklist, V1R1.2



















Page 41: Active Directory Checklist, V1R1.2















































domain

directory

active

checklist

stig

operations

unclassified

september

asset

reviewed

leet

upload

leetupload.com

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ... View more ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Delete template?

Save as template ?

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload