STIGQter: STIG Summary: Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide Version: 1 Release: 31 Benchmark Date: 26 Jul 2019: Domain Controllers must require LDAP signing.

DISA Rule

SV-36295r2_rule

Vulnerability Number

V-4407

Group Title

LDAP Signing Requirements

Rule Version

AD.3106_2008_R2

Severity

CAT II

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.

Weight

10

Fix Recommendation

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain controller: LDAP server signing requirements" to "Require signing".

Check Contents

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for "Domain Controller: LDAP Server signing requirements" is not set to "Require signing", this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\

Value Name: LDAPServerIntegrity

Value Type: REG_DWORD
Value: 2

Documentable Explanation: If LDAP Signing is not supported by a client, service or application, this must be documented with the IAO with supporting vendor information.

Vulnerability Number

V-4407

Documentable

True

Rule Version

AD.3106_2008_R2

Severity Override Guidance

Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

If the value for "Domain Controller: LDAP Server signing requirements" is not set to "Require signing", this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\

Value Name: LDAPServerIntegrity

Value Type: REG_DWORD
Value: 2

Documentable Explanation: If LDAP Signing is not supported by a client, service or application, this must be documented with the IAO with supporting vendor information.

Check Content Reference

M

Third-Party Tools

HK

Responsibility

System Administrator

Target Key

1823

Comments