ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0350 Synch\Maint Certificate Validity Checking STIG ID \ V-Key DS05.0350 \ V0011772 Severity Cat III Short Name Synch\Maint Certificate Validity Checking IA Controls IAAC-1 MAC /Conf 1-CS, 2-CS, 3-CS References AD STIG 2.3.3.8 Long Name: A synch\maint product that utilizes PKI certificates does not perform certificate validation that includes CRL or OCSP checking. Checks: • Interview the Application SA. • Review the application documentation or configuration settings to determine if the synch\maint implementation utilizes PKI certificates. • If PKI certificates are *not* used, then this check is Not Applicable. • If PKI certificates *are* used, review the application documentation or configuration settings to determine if the product performs certificate validation that includes CRL or OCSP checking. - Note that certificates could be used in multiple parts of the implementation such as client authentication of the server *and* server authentication of the client. All uses should be examined. • If the synch\maint implementation utilizes PKI certificates and the product does not perform certificate validation that includes CRL or OCSP checking, then this is a Finding. Note: At this time it is understood that SimpleSync, MIIS, and IIFP do *not* perform CRL or OCSP checking. UNCLASSIFIED 3-24
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS05.0370 Synch\Maint Mutual Authentication STIG ID \ V-Key DS05.0370 \ V0011773 Severity Cat III Short Name Synch\Maint Mutual Authentication IA Controls ECTM-1. ECTM-2 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.8 Long Name: A synch\maint implementation does not perform authentication of the synch\maint client and target directory server (mutual authentication). Checks: • Interview the Application SA. • Review the application documentation or configuration settings to determine if the synch\maint implementation performs authentication of the synch\maint client *and* the target directory server. - For client authentication this could include the use of an ID\password for the client to access the server. - For the server authentication this could include the use of LDAPS or HTTPS in which the client validates the server’s PKI certificate. • If the synch\maint implementation does not perform mutual authentication, then this is a Finding. UNCLASSIFIED 3-25
- Page 9 and 10: Active Directory Checklist, V1R1.2
- Page 11 and 12: Active Directory Checklist, V1R1.2
- Page 13 and 14: Active Directory Checklist, V1R1.2
- Page 15 and 16: Active Directory Checklist, V1R1.2
- Page 17 and 18: Active Directory Checklist, V1R1.2
- Page 19 and 20: Active Directory Checklist, V1R1.2
- Page 21 and 22: Active Directory Checklist, V1R1.2
- Page 23 and 24: Active Directory Checklist, V1R1.2
- Page 25 and 26: Active Directory Checklist, V1R1.2
- Page 27 and 28: Active Directory Checklist, V1R1.2
- Page 29 and 30: Active Directory Checklist, V1R1.2
- Page 31 and 32: Active Directory Checklist, V1R1.2
- Page 33 and 34: Active Directory Checklist, V1R1.2
- Page 35 and 36: Active Directory Checklist, V1R1.2
- Page 37 and 38: Active Directory Checklist, V1R1.2
- Page 39 and 40: Active Directory Checklist, V1R1.2
- Page 41 and 42: Active Directory Checklist, V1R1.2
- Page 43 and 44: Active Directory Checklist, V1R1.2
- Page 45 and 46: Active Directory Checklist, V1R1.2
- Page 47 and 48: Active Directory Checklist, V1R1.2
- Page 49 and 50: Active Directory Checklist, V1R1.2
- Page 51 and 52: Active Directory Checklist, V1R1.2
- Page 53 and 54: Active Directory Checklist, V1R1.2
- Page 55 and 56: Active Directory Checklist, V1R1.2
- Page 57 and 58: Active Directory Checklist, V1R1.2
- Page 59: Active Directory Checklist, V1R1.2
- Page 63 and 64: Active Directory Checklist, V1R1.2
- Page 65 and 66: Active Directory Checklist, V1R1.2
- Page 67 and 68: Active Directory Checklist, V1R1.2
- Page 69 and 70: Active Directory Checklist, V1R1.2
- Page 71 and 72: Active Directory Checklist, V1R1.2
- Page 73 and 74: Active Directory Checklist, V1R1.2
- Page 75 and 76: Active Directory Checklist, V1R1.2
- Page 77 and 78: Active Directory Checklist, V1R1.2
- Page 79 and 80: Active Directory Checklist, V1R1.2
- Page 81 and 82: Active Directory Checklist, V1R1.2
- Page 83 and 84: Active Directory Checklist, V1R1.2
- Page 85 and 86: Active Directory Checklist, V1R1.2
- Page 87 and 88: Active Directory Checklist, V1R1.2
- Page 89 and 90: Active Directory Checklist, V1R1.2
- Page 91 and 92: Active Directory Checklist, V1R1.2
- Page 93 and 94: Active Directory Checklist, V1R1.2
- Page 95 and 96: Active Directory Checklist, V1R1.2
- Page 97 and 98: Active Directory Checklist, V1R1.2
- Page 99 and 100: Active Directory Checklist, V1R1.2
- Page 101 and 102: Active Directory Checklist, V1R1.2
- Page 103 and 104: Active Directory Checklist, V1R1.2
- Page 105 and 106: Active Directory Checklist, V1R1.2
- Page 107 and 108: Active Directory Checklist, V1R1.2
- Page 109 and 110: Active Directory Checklist, V1R1.2
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
DS05.0370 Synch\Maint Mutual Authentication<br />
STIG ID \ V-Key DS05.0370 \ V0011773<br />
Severity Cat III<br />
Short Name Synch\Maint Mutual Authentication<br />
IA Controls ECTM-1. ECTM-2<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.3.8<br />
Long Name: A synch\maint implementation does not perform authentication of the<br />
synch\maint client and target directory server (mutual authentication).<br />
Checks:<br />
• Interview the Application SA.<br />
• Review the application documentation or configuration settings to determine if<br />
the synch\maint implementation performs authentication of the synch\maint client<br />
*and* the target directory server.<br />
- For client authentication this could include the use of an ID\password for the<br />
client to access the server.<br />
- For the server authentication this could include the use of LDAPS or HTTPS in<br />
which the client validates the server’s PKI certificate.<br />
• If the synch\maint implementation does not perform mutual authentication, then<br />
this is a Finding.<br />
UNCLASSIFIED<br />
3-25