STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

The domain functional level must be at a Windows Server version still supported by Microsoft.

DISA Rule

SV-9048r4_rule

Vulnerability Number

V-8551

Group Title

Domain Functional Level

Rule Version

AD.0160

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Raise the domain functional level to Windows Server 2008 or later. Using the highest domain functional level supported by the domain controllers is recommended.

Raising the domain functional level needs to be carefully planned and implemented. This prevents the addition of domain controllers to the domain using Windows versions prior to the current domain functional level.

See Microsoft documentation for the process and requirements of raising the domain functional level.

Check Contents

Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc").
Right click in the left pane on the name of the Domain being reviewed.
Select "Raise domain functional level…"
The current domain functional level will be displayed (as well as the option to raise the domain functional level).
Select "Cancel" to exit.

Alternately, using PowerShell (Windows 2008 R2 or later).
Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen.
Run "Get-ADDomain".
View the value for "DomainMode:"

If the domain functional level is not Windows Server 2008 or later, this is a finding.

Using the highest domain functional level supported by the domain controllers is recommended.

Vulnerability Number

V-8551

Documentable

False

Rule Version

AD.0160

Severity Override Guidance

Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc").
Right click in the left pane on the name of the Domain being reviewed.
Select "Raise domain functional level…"
The current domain functional level will be displayed (as well as the option to raise the domain functional level).
Select "Cancel" to exit.

Alternately, using PowerShell (Windows 2008 R2 or later).
Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen.
Run "Get-ADDomain".
View the value for "DomainMode:"

If the domain functional level is not Windows Server 2008 or later, this is a finding.

Using the highest domain functional level supported by the domain controllers is recommended.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

870

Comments