STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Each cross-directory authentication configuration must be documented.

DISA Rule

SV-30989r3_rule

Vulnerability Number

V-8530

Group Title

Cross-Directory Authentication Documentation

Rule Version

DS00.1120_AD

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Develop documentation for each AD external, forest, and realm trust configuration. At a minimum this must include:
Type (external, forest, or realm)
Name of the other party
Confidentiality, Availability, and Integrity categorization
Classification level of the other party
Trust direction (inbound and/or outbound)
Transitivity
Status of the Selective Authentication option
Status of the SID filtering option

Check Contents

Start "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc").
Select the left pane item that matches the name of the domain being reviewed.
Right-click the domain name and select "Properties".
Select the "Trusts" tab.

For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.)

Compare the list of trusts identified with documentation maintained by the ISSO.

For each trust, the documentation must contain the following:
Type (external, forest, or realm)
Name of the other party
Confidentiality, Availability, and Integrity categorization
Classification level of the other party
Trust direction (inbound and/or outbound)
Transitivity
Status of the Selective Authentication option
Status of the SID filtering option

If an identified trust is not listed in the documentation or if any of the required items are not documented, this is a finding.

Vulnerability Number

V-8530

Documentable

False

Rule Version

DS00.1120_AD

Severity Override Guidance

Start "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc").
Select the left pane item that matches the name of the domain being reviewed.
Right-click the domain name and select "Properties".
Select the "Trusts" tab.

For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.)

Compare the list of trusts identified with documentation maintained by the ISSO.

For each trust, the documentation must contain the following:
Type (external, forest, or realm)
Name of the other party
Confidentiality, Availability, and Integrity categorization
Classification level of the other party
Trust direction (inbound and/or outbound)
Transitivity
Status of the Selective Authentication option
Status of the SID filtering option

If an identified trust is not listed in the documentation or if any of the required items are not documented, this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

870

Comments