ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

Active Directory Checklist, V1R1.2 Field Security Operations
22 September 2006 Defense Information Systems Agency
DS10.0160 Domain Functional Level
STIG ID \ V-Key DS10.0160 \ V0008551
Severity Cat III
Short Name Domain Functional Level
IA Controls ECAN-1, ECCD-1, ECCD-2, ECLP-1
MAC /Conf 1-CSP, 2-CSP, 3-CSP
References AD STIG 2.3.3.2
Long Name: An AD domain that has no Windows NT domain controllers is at a domain
functional level that allows the addition of new Windows NT domain controllers.
Checks:
• Start the Active Directory Users and Computers console (“Start”, “Run…”,
“dsa.msc”).
• Determine if any domain controller in the AD domain being reviewed is running
Windows NT:
- Select the left pane item that matches the name of the domain being reviewed.
- Right-click the domain name and select the Find item.
- In the Find dialog box, select Custom Search.
- Select the Advanced tab.
- In the Enter LDAP query box, enter the following *without the quotes or
spaces*:
“(&(objectCategory=computer)(operatingSystemVersion=4*)
(userAccountControl:1.2.840.113556.1.4.803:=8192))”
- Click the Find Now button.
[This procedure is documented in Microsoft KB article 322692.]
• If any domain controller in the AD domain being reviewed is running Windows
NT, then this is a Not a Finding.
• Return to the initial console view.
• Determine the domain functional level:
- Select the left pane item that matches the name of the domain being reviewed.
- Right-click the domain name and select the Properties item.
- On the General tab, note the value of “Domain functional level” (Windows
Server 2003) or “Domain operation mode” (Windows 2000 Server).
• If the current domain functional level is “Windows 2000 mixed” or “Windows
Server 2003 interim” and there are no Windows NT domain controllers in the AD
domain, then this is a Finding.
UNCLASSIFIED
5-25