ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Active Directory Checklist, V1R1.2 Field Security Operations
22 September 2006 Defense Information Systems Agency
DS05.0130 Synch\Maint Inter-Enclave LDAP\HTTP Usage
STIG ID \ V-Key DS05.0130 \ V0011760
Severity Cat II
Short Name Synch\Maint Inter-Enclave LDAP\HTTP Usage
IA Controls DCPP-1
MAC /Conf 1-CSP, 2-CSP, 3-CSP
References AD STIG 2.3.1.3
DODI 8551.1
Long Name: A synch\maint implementation that spans enclave boundaries and uses LDAP or
HTTP protocol does not use a VPN to protect the network traffic.
Checks:
• Interview the Application SA.
• With the assistance of the SA, NSO, or network reviewer as required, review the
application documentation and the site network diagram(s) to determine if the
synch\maint implementation transfers directory data across enclave boundaries
and uses the LDAP or HTTP protocol.
- The object is to determine if application traffic is traversing enclave network
boundaries and if LDAP or HTTP is used.
[Retain this information for use in a subsequent check.]
• If the synch\maint implementation does *not* transfer data across enclave
boundaries or does *not* use LDAP or HTTP, then this check is Not Applicable.
• If the synch\maint implementation transfers data using LDAP or HTTP, review
the site network diagram(s) with the assistance of the SA, NSO, or network
reviewer as required, to determine if a VPN is used to transport the directory data
network traffic.
• If a VPN solution is not used to transport directory data network traffic across
enclave boundaries, then this is a Finding.
Note: This check and the associated requirement are based on DoD ports and
protocols restrictions stated in DoD Instruction 8551.1 and linked documents.
UNCLASSIFIED
3-12