ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
19.07.2013 Views
Share Embed Flag

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
leetupload.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Active Directory Checklist, V1R1.2 Field Security Operations<br />

22 September 2006 Defense Information Systems Agency<br />

5. MANUAL CHECK PROCEDURES<br />

This section of the Checklist describes the procedures to be used to conduct a manual review for<br />

the Active Directory STIG requirements. The results from the procedures in this section can be<br />

recorded on a copy of the Review Results Report in Section 2.<br />

5.1 Review Process Information<br />

All of the AD domain and forest checks in this document are performed on a Windows domain<br />

controller using a Windows account that is a member of the Domain Admins security<br />

group. While it is possible to perform these checks remotely, the documented procedures<br />

assume that the reviewer is using the console of the domain controller.<br />

The checks for synchronization and maintenance products require the input and assistance of the<br />

administrator of the application. A Windows account with administrative privileges for the<br />

application is required.<br />

It is assumed that the reviewer is familiar with the tools and procedures documented in the<br />

Windows Security Checklists. While the procedures in this document are generally explicit,<br />

basic procedures such as the process for checking file system ACLs are not documented.<br />

The following tools are used during the review process and are available on all Windows domain<br />

controllers:<br />

- Windows Explorer<br />

- Microsoft Management Console (MMC) Snap-ins:<br />

- AD Users and Computers (dsa.msc)<br />

- AD Domains and Trusts (domain.msc)<br />

- AD Sites and Services (dssite.msc)<br />

- Services (services.msc)<br />

- Registry Editor<br />

- Command Prompt Invocation:<br />

- Shared resources (net share)<br />

- Directory Service Query (dsquery.exe) - Win2K3<br />

The following tool is used during the review process and is only available if the Windows<br />

Support Tools have been installed:<br />

- Command Prompt Invocation:<br />

- Support Tools Domain Manager (netdom.exe)<br />

The following information should be available to accelerate the review process:<br />

- AD trust relationship documentation<br />

[Appendix B provides examples.]<br />

- Lists of accounts assigned to AD privileged groups (Domain Admins, Enterprise Admins,<br />

Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders)<br />

- List of accounts with the right to create AD objects (e.g., accounts, printers), but that are<br />

not members of the built-in AD privileged groups<br />

UNCLASSIFIED<br />

5-1

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!