ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0110 AD Inter-Enclave VPN Usage STIG ID \ V-Key DS10.0110 \ V0008522 Severity Cat II Short Name AD Inter-Enclave VPN Usage IA Controls DCPP-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.1.3 DODI 8551.1 Long Name: An AD implementation (domains or forest) that spans enclave boundaries does not use a VPN to protect AD network traffic. Checks: • Interview the IAM. • With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) to determine if domain controllers for the AD forest are located in multiple enclaves. - The object is to determine if AD network traffic is traversing enclave network boundaries. • If domain controllers are *not* located in multiple enclaves, then this check is Not Applicable. • If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the AD network traffic (replication, user logon, AD queries, etc.). [Retain this location and VPN information for use in a subsequent check.] • If a VPN solution is not used to transport AD network traffic across enclave boundaries, then this is a Finding. Note: This check and the associated requirement are based on DoD ports and protocols restrictions stated in DoD Instruction 8551.1 and linked documents. UNCLASSIFIED 3-6
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0300 IDS Visibility of AD VPN Data Transport STIG ID \ V-Key DS10.0300 \ V0008523 Severity Cat II Short Name IDS Visibility of AD VPN Data Transport IA Controls EBVC-1 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.4 Long Name: The VPN used to protect AD network traffic does not support visibility by an IDS. Checks: • Interview the IAO. • If the response to check DS10.0110 indicates that domain controllers are *not* located in multiple enclaves, then this check is Not Applicable. • If the response to check DS10.0110 indicates that domain controllers *are* located in multiple enclaves and a VPN is *not* used, then this check is Not Applicable. • If the response to check DS10.0110 indicates that domain controllers *are* located in multiple enclaves and a VPN *is* used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS. • If the AD network traffic is not visible to a network or host IDS, then this is a Finding. UNCLASSIFIED 3-7
- Page 1 and 2: ACTIVE DIRECTORY SECURITY CHECKLIST
- Page 3 and 4: Active Directory Checklist, V1R1.2
- Page 5 and 6: Active Directory Checklist, V1R1.2
- Page 7 and 8: Active Directory Checklist, V1R1.2
- Page 9 and 10: Active Directory Checklist, V1R1.2
- Page 11 and 12: Active Directory Checklist, V1R1.2
- Page 13 and 14: Active Directory Checklist, V1R1.2
- Page 15 and 16: Active Directory Checklist, V1R1.2
- Page 17 and 18: Active Directory Checklist, V1R1.2
- Page 19 and 20: Active Directory Checklist, V1R1.2
- Page 21 and 22: Active Directory Checklist, V1R1.2
- Page 23 and 24: Active Directory Checklist, V1R1.2
- Page 25 and 26: Active Directory Checklist, V1R1.2
- Page 27 and 28: Active Directory Checklist, V1R1.2
- Page 29 and 30: Active Directory Checklist, V1R1.2
- Page 31 and 32: Active Directory Checklist, V1R1.2
- Page 33 and 34: Active Directory Checklist, V1R1.2
- Page 35 and 36: Active Directory Checklist, V1R1.2
- Page 37 and 38: Active Directory Checklist, V1R1.2
- Page 39 and 40: Active Directory Checklist, V1R1.2
- Page 41: Active Directory Checklist, V1R1.2
- Page 45 and 46: Active Directory Checklist, V1R1.2
- Page 47 and 48: Active Directory Checklist, V1R1.2
- Page 49 and 50: Active Directory Checklist, V1R1.2
- Page 51 and 52: Active Directory Checklist, V1R1.2
- Page 53 and 54: Active Directory Checklist, V1R1.2
- Page 55 and 56: Active Directory Checklist, V1R1.2
- Page 57 and 58: Active Directory Checklist, V1R1.2
- Page 59 and 60: Active Directory Checklist, V1R1.2
- Page 61 and 62: Active Directory Checklist, V1R1.2
- Page 63 and 64: Active Directory Checklist, V1R1.2
- Page 65 and 66: Active Directory Checklist, V1R1.2
- Page 67 and 68: Active Directory Checklist, V1R1.2
- Page 69 and 70: Active Directory Checklist, V1R1.2
- Page 71 and 72: Active Directory Checklist, V1R1.2
- Page 73 and 74: Active Directory Checklist, V1R1.2
- Page 75 and 76: Active Directory Checklist, V1R1.2
- Page 77 and 78: Active Directory Checklist, V1R1.2
- Page 79 and 80: Active Directory Checklist, V1R1.2
- Page 81 and 82: Active Directory Checklist, V1R1.2
- Page 83 and 84: Active Directory Checklist, V1R1.2
- Page 85 and 86: Active Directory Checklist, V1R1.2
- Page 87 and 88: Active Directory Checklist, V1R1.2
- Page 89 and 90: Active Directory Checklist, V1R1.2
- Page 91 and 92: Active Directory Checklist, V1R1.2
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
DS10.0300 IDS Visibility of AD VPN Data Transport<br />
STIG ID \ V-Key DS10.0300 \ V0008523<br />
Severity Cat II<br />
Short Name IDS Visibility of AD VPN Data Transport<br />
IA Controls EBVC-1<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.4<br />
Long Name: The VPN used to protect AD network traffic does not support visibility by an<br />
IDS.<br />
Checks:<br />
• Interview the IAO.<br />
• If the response to check DS10.0110 indicates that domain controllers are *not*<br />
located in multiple enclaves, then this check is Not Applicable.<br />
• If the response to check DS10.0110 indicates that domain controllers *are*<br />
located in multiple enclaves and a VPN is *not* used, then this check is Not<br />
Applicable.<br />
• If the response to check DS10.0110 indicates that domain controllers *are*<br />
located in multiple enclaves and a VPN *is* used, review the site network<br />
diagram(s) with the SA, NSO, or network reviewer as required to determine if the<br />
AD network traffic is visible to a network or host IDS.<br />
• If the AD network traffic is not visible to a network or host IDS, then this is a<br />
Finding.<br />
UNCLASSIFIED<br />
3-7