STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.

DISA Rule

SV-9035r3_rule

Vulnerability Number

V-8538

Group Title

Trust - SID Filter Quarantining

Rule Version

AD.0190

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Ensure SID filtering is enabled on all external trusts. You can enable SID filtering only from the trusting side of the trust. Enter the following line from a command line:

netdom trust <TrustingDomainName> /d:<TrustedDomainName> /quarantine:Yes
/usero:<DomainAdministratorAcct> /passwordo:<DomainAdminPwd>

Ensure SID history is disabled for all forest trusts. You can disable SID history only from the trusting side of the trust. Enter the following line from a command line:

netdom trust <TrustingDomainName> /d:<TrustedDomainName> /enablesidhistory:No
/usero:<DomainAdministratorAcct> /passwordo:<DomainAdminPwd>

Check Contents

Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".)
Right click the domain in the left pane and select Properties.
Select the Trusts tab.
Note any existing trusts and the type.
If no trusts exist, this is NA.

If the trust type is External, run the following command on the trusting domain:
"netdom trust <trusting domain> /d:<trusted domain> /quarantine"
If the result does not specify "SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed.", this is a finding.

If the trust type is Forest, run the following command on the trusting domain:
"netdom trust <trusting domain> /d:<trusted domain> /enablesidhistory"
If the result does not specify "SID history is disabled for this trust", this is a finding.

Vulnerability Number

V-8538

Documentable

False

Rule Version

AD.0190

Severity Override Guidance

Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".)
Right click the domain in the left pane and select Properties.
Select the Trusts tab.
Note any existing trusts and the type.
If no trusts exist, this is NA.

If the trust type is External, run the following command on the trusting domain:
"netdom trust <trusting domain> /d:<trusted domain> /quarantine"
If the result does not specify "SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed.", this is a finding.

If the trust type is Forest, run the following command on the trusting domain:
"netdom trust <trusting domain> /d:<trusted domain> /enablesidhistory"
If the result does not specify "SID history is disabled for this trust", this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

870

Comments