II - Mission Support Public
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480
Group -
User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. The Protected Users group provides extra protections to accounts such as prev...Rule Medium Severity -
SRG-OS-000480
Group -
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific servic...Rule Medium Severity -
SRG-OS-000480
Group -
The Directory Service Restore Mode (DSRM) password must be changed at least annually.
The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server recovery mode, is very powerful. With a weak or known password, someon...Rule Medium Severity -
SRG-OS-000480
Group -
The domain functional level must be at a Windows Server version still supported by Microsoft.
Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and forest as advanced features of the directory are...Rule Medium Severity -
SRG-OS-000480
Group -
Access to need-to-know information must be restricted to an authorized community of interest.
Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access control at the domain or forest level in which the...Rule Medium Severity -
SRG-OS-000480
Group -
Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure access between resources of different classification levels, the soluti...Rule High Severity -
SRG-OS-000480
Group -
A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between...Rule High Severity -
SRG-OS-000104
Group -
Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associat...Rule Medium Severity -
SRG-OS-000080
Group -
Selective Authentication must be enabled on outgoing forest trusts.
Enabling Selective Authentication on outbound Active Directory (AD) forest trusts significantly strengthens access control by requiring explicit authorization (through the Allowed to Authenticate p...Rule Medium Severity -
SRG-OS-000121
Group -
The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions o...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.