STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.

DISA Rule

SV-31214r2_rule

Vulnerability Number

V-8526

Group Title

Cross-Directory Authentication INFOCON Procedures

Rule Version

DS00.7100_AD

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Evaluate cross-directory configurations (such as trusts and pass-through authentication) and provide documentation that indicates:
1. That an evaluation was performed.
2. The specific AD trust configurations, if any, that should be disabled during changes in INFOCON status because they could represent increased risk.

Check Contents

1. Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative.

2. If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable.
For AD, this includes external, forest, or realm trust relationship types.

3. Obtain a copy of the site’s supplemental INFOCON procedures as required by Strategic Command Directive (SD) 527-1.

4. Verify that it has been determined by the IAM whether INFOCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated.

5. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable.

6. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) *are* necessary, verify that the policy to implement these actions has been documented.

7. If actions to disable manual AD trusts (cross-directory configurations) *are* needed and no policy has been documented, then this is a finding.

Vulnerability Number

V-8526

Documentable

False

Rule Version

DS00.7100_AD

Severity Override Guidance

1. Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative.

2. If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable.
For AD, this includes external, forest, or realm trust relationship types.

3. Obtain a copy of the site’s supplemental INFOCON procedures as required by Strategic Command Directive (SD) 527-1.

4. Verify that it has been determined by the IAM whether INFOCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated.

5. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable.

6. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) *are* necessary, verify that the policy to implement these actions has been documented.

7. If actions to disable manual AD trusts (cross-directory configurations) *are* needed and no policy has been documented, then this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

870

Comments