ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
DS00.0151 Time Synchronization Source Logging<br />
STIG ID \ V-Key DS00.0151 \ V0008324<br />
Severity Cat III<br />
Short Name Time Synchronization Source Logging<br />
IA Controls ECTM-1, ECTM-2<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.3.8<br />
Long Name: The time synchronization tool does not log changes to the time source.<br />
Checks:<br />
The following procedures check the Windows Time service. This is the preferred<br />
time synchronization tool for Windows domain controllers.<br />
A. Windows 2000 Server Procedures<br />
• Use Registry Editor to navigate to the following:<br />
HKLM\System\CurrentControlSet\Services\W32Time\Parameters.<br />
• If the value for “WriteLog” is not “True” or the value for “Log” is not<br />
“0x00000064” or greater, then this is a Finding.<br />
• If the “WriteLog” or “Log” entries are not found, then this is a Finding.<br />
B. Windows Server 2003 Procedures<br />
• Use Registry Editor to navigate to the following:<br />
HKLM\System\CurrentControlSet\Services\W32Time\Config.<br />
• If the value for “EventLogFlags” is not “2”, then this is a Finding.<br />
If the SA has demonstrated that an alternate time synchronization tool is being used,<br />
check to see if the tool can log time source changes. [Review the available<br />
configuration options and logs.] If the tool has that capability and it is not enabled,<br />
then this is a Finding.<br />
UNCLASSIFIED<br />
5-7