ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
Note: An AD instance may have no AD site Group Policies defined.<br />
B. Group Policy Object Procedures - Default Domain & OU Policies<br />
• Start the Active Directory Users and Computers console (“Start”, “Run…”,<br />
“dsa.msc”). Ensure that the Advanced Features item on the View menu is<br />
enabled.<br />
• Select the left pane item that matches the name of the domain being reviewed.<br />
- Right-click the domain name and select the Properties item.<br />
- On the domain Properties window, select the Group Policy tab and then the<br />
Properties button.<br />
- On the Default Domain Policy Properties window, select the Security tab.<br />
- Compare the ACL of the Default Domain Group Policy to the specifications for<br />
Group Policy Objects in Checklist appendix A.3.<br />
• If the actual permissions for the Default Domain Policy Group Policy object are<br />
not at least as restrictive as those in the appendix, then this is a Finding.<br />
• Return to the initial console view.<br />
• For each OU that is defined (folder in folder icon):<br />
- Right-click the OU and select the Properties item.<br />
- On the OU Properties window, select the Group Policy tab.<br />
- For *each* Group Policy Object Link:<br />
-- Select the Group Policy Object Link item<br />
-- Select the Properties button.<br />
-- On the OU Group Policy Properties window, select the Security tab.<br />
-- Compare the ACL of the OU Group Policy to the specifications for Group<br />
Policy Objects in Checklist appendix A.3.<br />
• If the actual permissions for any OU Group Policy object are not at least as<br />
restrictive as those in the appendix, then this is a Finding.<br />
Note: Each domain has at least one OU that has a Group Policy. This will be the<br />
Domain Controllers OU.<br />
C. Organizational Unit Object Procedures<br />
• Start the Active Directory Users and Computers console (“Start”, “Run…”,<br />
“dsa.msc”). Ensure that the Advanced Features item on the View menu is<br />
enabled.<br />
• For each OU that is defined (folder in folder icon):<br />
- Right-click the OU and select the Properties item.<br />
- On the OU Properties window, select the Security tab.<br />
- Compare the ACL of the OU to the specifications for Organizational Unit<br />
Objects in Checklist appendix A.3.<br />
• If the actual permissions for any OU object are not at least as restrictive as those<br />
in the appendix, then this is a Finding.<br />
This check includes the functions of Windows Checklist item 2.013. That check will be removed<br />
in future versions of the Windows Checklists.<br />
UNCLASSIFIED<br />
5-11