ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0360 Synch\Maint Data Transport Signing STIG ID \ V-Key DS05.0360 \ V0011770 Severity Cat III Short Name Synch\Maint Data Transport Signing IA Controls ECTM-1. ECTM-2 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.8 Long Name: A synch\maint implementation does not use data signing or other methods to ensure the integrity of directory data network traffic. Checks: • Interview the Application SA. • Review the application documentation or configuration settings to determine if the synch\maint implementation signs the data or uses other integrity checks on data transferred over any network. - The use of encryption is an acceptable method of addressing data integrity. If the LDAPS or HTTPS protocol or a VPN is used for transmission, this meets the requirement. • If the synch\maint implementation does not use data signing or other methods to ensure the integrity of transmitted data, then this is a Finding. UNCLASSIFIED 3-22
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0340 Synch\Maint Aggregate Transport Encryption STIG ID \ V-Key DS05.0340 \ V0011771 Severity Cat II Short Name Synch\Maint Aggregate Transport Encryption IA Controls ECCT-1, ECCT-2, ECNK-1, ECNK-2 MAC /Conf 1-CS, 2-CS, 3-CS References AD STIG 2.3.3.8 Long Name: A synch\maint implementation that transfers a substantial aggregate of the directory data for an entire geographic command does not use FIPS 140-2validated encryption to protect the network traffic. Checks: • Interview the Application SA. • Determine if data transmitted by the synch\maint implementation contains directory information for an *entire* geographic command such as DISA CONUS, DISA EUROPE, or DISA PACIFIC or for *all* members of a Service or other Component. - An examination of the application documentation or directory query strings can be used to establish this. • If the data transmitted by the synch\maint implementation does *not* contain substantial aggregates, then this check is Not Applicable. • If the data transmitted by the synch\maint implementation *does* contain a substantial aggregate, review the application documentation and site network diagram(s) to determine if FIPS 140-2-validated encryption is used to protect the network traffic. - This includes encryption of the data on the host before transmission, the use of LDAPS or HTTPS protocol, or the use of network components (such as a VPN) to perform encryption. • If the data transmitted by the synch\maint implementation contains a substantial aggregate and it is not encrypted, then this is a Finding. UNCLASSIFIED 3-23
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8: Active Directory Checklist, V1R1.2
Page 57: Active Directory Checklist, V1R1.2
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Create successful ePaper yourself

Delete template?

Save as template?