ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency DS10.0200 Selective Authentication Trust Option [Windows Server 2003 DC required] STIG ID \ V-Key DS10.0200 \ V0008540 Severity Cat II Short Name Selective Authentication Trust Option IA Controls ECAN-1, ECCD-1, ECCD-2 MAC /Conf 1-CS, 2-CS, 3-CSP References AD STIG 2.3.3.2 Long Name: An outgoing forest trust is configured without Selective Authentication. Checks: Note: This check is performed only on a domain with domain controller(s) running Windows Server 2003. For domains with only Windows 2000 Server domain controllers, this check will be Not Applicable. • Start the Active Directory Domains and Trusts console (“Start”, “Run…”, “domain.msc”). • Select the left pane item that matches the name of the domain being reviewed. - Right-click the domain name and select the Properties item. - On the domain object Properties window, select the Trusts tab. - For *each* outgoing forest trust: -- Right-click the trust item and select the Properties item -- On the trust Properties window, select the Authentication tab. -- Determine if the Selective Authentication option is selected. • If the Selective Authentication option is not selected on every outgoing forest trust, then this is a Finding. UNCLASSIFIED 5-20
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency 5.3.3 Privileged Group Membership The checks in this section address membership in Windows security groups that have privileges with respect to AD data and administrative functions. DS10.0220 Pre-Windows 2000 Compatible Access Membership STIG ID \ V-Key DS10.0220 \ V0008547 Severity Cat II Short Name Pre-Windows 2000 Compatible Access Membership IA Controls ECAN-1, ECCD-1, ECCD-2 MAC /Conf 1-CS, 2-CS, 3-CSP References AD STIG 2.3.3.4 Long Name: The Pre-Windows 2000 Compatible Access group includes the Everyone or Anonymous Logon groups. Checks: • Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). • Select and expand the left pane item that matches the name of the domain being reviewed. - Select the Builtin item - Double-click the Pre-Windows 2000 Compatible Access group and select the Members tab. • If the Anonymous Logon group or Everyone group is a member of the Pre- Windows 2000 Compatible group, then this is a Finding. UNCLASSIFIED 5-21
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40: Active Directory Checklist, V1R1.2
Page 89: Active Directory Checklist, V1R1.2
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?