Active Directory Domain Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary....Rule High Severity -
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys for the EA/DA accounts to less secure user platforms when the other accoun...Rule Medium Severity -
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlle...Rule Medium Severity -
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific servic...Rule Medium Severity -
The Directory Service Restore Mode (DSRM) password must be changed at least annually.
The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someon...Rule Medium Severity -
A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between...Rule High Severity -
Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associat...Rule Medium Severity -
User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user support staff.) This is done to avoid the need to...Rule Low Severity -
A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.
The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentication, and resource authorization services. At a minimum, LDAP or LDAPS ...Rule Medium Severity -
Windows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).
Although Kerberos logging can be used for troubleshooting, it can also provide security information for successful and failed login attempts. If a malicious actor uses a forged or unauthorized cert...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.