ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
5.3 Active Directory Domain<br />
Notes: The checks in this section apply to Active Directory Domain assets and are performed on<br />
only one domain controller per AD domain.<br />
Some of these checks apply only to Windows Server 2003 and must be done on that<br />
platform.<br />
These checks examine characteristics that apply to an entire Windows domain. Because AD data<br />
is replicated among its domain controllers, performing these checks on a single (up-to-date)<br />
domain controller is sufficient.<br />
5.3.1 AD Object Access Permissions and Auditing<br />
The checks in this section address access control and auditing for selected AD objects in the AD<br />
database. Access permissions are examined for AD objects including Group Policy Objects and<br />
Organizational Units. Auditing is examined for AD objects including Group Policy Objects,<br />
Organizational Units, and several other AD domain partition objects.<br />
DS00.0130 Directory Data Object Access Control<br />
STIG ID \ V-Key DS00.0130 \ V0008528<br />
Severity Cat I<br />
Short Name Directory Data Object Access Control<br />
IA Controls ECAN-1, ECCD-1, ECCD-2, ECLP-1<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.3.4<br />
Long Name: Directory service data objects do not have proper access permissions (ACLs). For<br />
AD this includes Group Policy Objects and Organizational Units (OUs).<br />
Checks:<br />
A. Group Policy Object Procedures - Site Policies<br />
• Start the Active Directory Sites and Services console (“Start”, “Run…”,<br />
“dssite.msc”).<br />
• Select and expand the Sites item in the left pane.<br />
For each AD site that is defined (building icon):<br />
- Right-click the AD site and select the Properties item.<br />
- On the site Properties window, select the Group Policy tab.<br />
- For *each* Group Policy Object Link:<br />
-- Select the Group Policy Object Link item<br />
-- Select the Properties button.<br />
-- On the site Group Policy Properties window, select the Security tab.<br />
-- Compare the ACL of the site Group Policy to the specifications for Group<br />
Policy Objects in Checklist appendix A.3.<br />
• If the actual permissions for any AD site object are not at least as restrictive as<br />
those in the appendix, then this is a Finding.<br />
UNCLASSIFIED<br />
5-10