STIGQter STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG)

Version: 2

Release: 13 Benchmark Date: 26 Apr 2019

SV-9018r3_ruleUser accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
SV-30991r3_ruleA VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
SV-30994r3_ruleIf a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).
SV-30996r3_ruleActive Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.
SV-30995r4_ruleActive Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.
SV-31214r2_ruleThe impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented.
SV-30989r3_ruleEach cross-directory authentication configuration must be documented.
SV-9030r2_ruleAccess to need-to-know information must be restricted to an authorized community of interest.
SV-9031r2_ruleInterconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
SV-9033r2_ruleA controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
SV-9035r3_ruleSecurity identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
SV-9037r3_ruleSelective Authentication must be enabled on outgoing forest trusts.
SV-9044r3_ruleThe Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
SV-9045r3_ruleMembership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
SV-31557r2_ruleAccounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.
SV-9048r4_ruleThe domain functional level must be at a Windows Server version still supported by Microsoft.
SV-30992r3_ruleInter-site replication must be enabled and configured to occur at least daily.
SV-31547r3_ruleActive Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.
SV-32179r3_ruleThe Directory Service Restore Mode (DSRM) password must be changed at least annually.
SV-32648r2_ruleRead-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
SV-47837r2_ruleMembership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
SV-47838r2_ruleMembership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
SV-47839r2_ruleAdministrators must have separate accounts specifically for managing domain member servers.
SV-47840r2_ruleAdministrators must have separate accounts specifically for managing domain workstations.
SV-47841r2_ruleDelegation of privileged accounts must be prohibited.
SV-47844r5_ruleLocal administrator accounts on domain systems must not share the same password.
SV-56469r2_ruleSeparate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
SV-56473r2_ruleSeparate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
SV-56533r4_ruleUsage of administrative accounts must be monitored for suspicious and anomalous activity.
SV-56534r4_ruleSystems must be monitored for attempts to use local accounts to log on remotely from other systems.
SV-56535r4_ruleSystems must be monitored for remote desktop logons.
SV-56889r2_ruleWindows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days.
SV-67945r1_ruleDomain controllers must be blocked from Internet access.
SV-87467r1_ruleAll accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
SV-92837r3_ruleUser accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
SV-102373r1_ruleDomain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.