ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency 2.4.8 Domain Controller Characteristics The checks in this section address some miscellaneous characteristics that affect the operational integrity of each domain controller. DS10.0140 Domain Controller Dedication STIG ID \ V-Key DS10.0140 \ V0008326 Severity Cat III Short Name Domain Controller Dedication IA Controls DCSP-1 MAC /Conf 1-CSP, 2-CSP References AD STIG 2.3.1.5 Long Name: The domain controller is not dedicated to that function. It is hosting an application such as a database server, e-mail server, e-mail client, web server, or DHCP server. Checks: • Start the Services console (“Start”, “Run…”, “services.msc”). • Check to see if any application-related services have the “Started” status. *Examples* of some services that indicate the presence of applications are: - DHCP Server for DHCP server - IIS Admin Service for IIS web server - Microsoft Exchange System Attendant for Exchange - MSSQLServer for SQL Server - ADAM_[instance] for ADAM directory service. • If any application-related services have the “Started” status, then this is a Finding. Note: The Microsoft Windows-based Domain Name System (DNS) server *is* an acceptable application because, when securely deployed, it is integrated into AD. UNCLASSIFIED 5-8
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0290 Windows Services Startup STIG ID \ V-Key DS10.0290 \ V0008327 Severity Cat II Short Name Windows Services Startup IA Controls ECTM-1, ECTM-2 MAC /Conf 1-CSP, 2-CSP, 3-CSP References AD STIG 2.3.3.7 Long Name: Windows services that are critical for AD are not configured for automatic startup. Checks: • Start the Services console (“Start”, “Run…”, “services.msc”) • Check the Startup Type field for the following: - Distributed File System - DNS Client - File Replication Service - Intersite Messaging - Kerberos Key Distribution Center - Windows Time • If the Startup Type for any of these services is not Automatic, then this is a Finding. Note: The Windows Time service is not required *if* another time synchronization tool is implemented. UNCLASSIFIED 5-9
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28: Active Directory Checklist, V1R1.2
Page 77: Active Directory Checklist, V1R1.2
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Create successful ePaper yourself

Delete template?

Save as template?