Active Directory Domain Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

Domain controllers must be blocked from Internet access.

<VulnDiscussion> Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed ...

Rule Medium Severity

Show

SRG-OS-000076

Group

Show

All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.

<VulnDiscussion>When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and ass...

Rule Medium Severity

Show

SRG-OS-000480

Group

Show

User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.

<VulnDiscussion>User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. The P...

Rule Medium Severity

Show

SRG-OS-000480

Group

Show

Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.

<VulnDiscussion>Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If deleg...

Rule Medium Severity

Show

SRG-OS-000480

Group

Show

The Directory Service Restore Mode (DSRM) password must be changed at least annually.

<VulnDiscussion>The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server...

Rule Medium Severity

Show

SRG-OS-000480

Group

Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity

Modules