II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000112
<GroupDescription></GroupDescription>Group -
Local administrator accounts on domain systems must not share the same password.
<VulnDiscussion>Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharin...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
<VulnDiscussion>A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys fo...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
<VulnDiscussion>Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this i...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Domain controllers must be blocked from Internet access.
<VulnDiscussion> Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed ...Rule Medium Severity -
SRG-OS-000076
<GroupDescription></GroupDescription>Group -
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
<VulnDiscussion>When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and ass...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.