STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.

DISA Rule

SV-32648r2_rule

Vulnerability Number

V-25997

Group Title

Replication in the DMZ (RODC)

Rule Version

AD.0270

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

1. Ensure compliance with VPN and IPSec requirements in the Network Insfrastucture STIG.

2. Ensure IPSec and other communications and security configurations for the management and replication of the RODC uses the minimum required Group Policy Objects (GPOs) to provide the required functionality.

3. Replicate only the information needed to provide the functionality required. If full replication of all directory data is not needed, then replicated selective ID and authentication information as needed to the RODC.

4. Include an inspection of the RODC server in the DMZ when inspection for least privilege.

Check Contents

1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec.

2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs).

3. Include an inspection of the RODC server in the DMZ when inspection for least privilege.

4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients.

5. If RODC server and configuration does not comply with requirements, then this is a finding.

Vulnerability Number

V-25997

Documentable

False

Rule Version

AD.0270

Severity Override Guidance

1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec.

2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs).

3. Include an inspection of the RODC server in the DMZ when inspection for least privilege.

4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients.

5. If RODC server and configuration does not comply with requirements, then this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

870

Comments