III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.
<VulnDiscussion>The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Dire...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
<VulnDiscussion>The Domain Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Director...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Administrators must have separate accounts specifically for managing domain member servers.
<VulnDiscussion>Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Administrators must have separate accounts specifically for managing domain workstations.
<VulnDiscussion>Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Delegation of privileged accounts must be prohibited.
<VulnDiscussion>Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing p...Rule High Severity -
SRG-OS-000112
<GroupDescription></GroupDescription>Group -
Local administrator accounts on domain systems must not share the same password.
<VulnDiscussion>Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharin...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.
<VulnDiscussion>A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys fo...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
<VulnDiscussion>Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this i...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Domain controllers must be blocked from Internet access.
<VulnDiscussion> Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed ...Rule Medium Severity -
SRG-OS-000076
<GroupDescription></GroupDescription>Group -
All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.
<VulnDiscussion>When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and ass...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
<VulnDiscussion>User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. The P...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
<VulnDiscussion>Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If deleg...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The Directory Service Restore Mode (DSRM) password must be changed at least annually.
<VulnDiscussion>The Directory Service Restore Mode (DSRM) password, used to log on to a domain controller (DC) when rebooting into the server...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
The domain functional level must be at a Windows Server version still supported by Microsoft.
<VulnDiscussion>Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of sec...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Access to need-to-know information must be restricted to an authorized community of interest.
<VulnDiscussion>Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent ...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.
<VulnDiscussion>If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure...Rule High Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.
<VulnDiscussion>The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in an...Rule High Severity -
SRG-OS-000104
<GroupDescription></GroupDescription>Group -
Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
<VulnDiscussion>Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a ...Rule Medium Severity -
SRG-OS-000080
<GroupDescription></GroupDescription>Group -
Selective Authentication must be enabled on outgoing forest trusts.
<VulnDiscussion>Enabling Selective Authentication on outbound Active Directory (AD) forest trusts significantly strengthens access control by...Rule Medium Severity -
SRG-OS-000121
<GroupDescription></GroupDescription>Group -
The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.
<VulnDiscussion>The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allow...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
<VulnDiscussion>Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.
<VulnDiscussion>In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for h...Rule Low Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.
<VulnDiscussion>The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Usage of administrative accounts must be monitored for suspicious and anomalous activity.
<VulnDiscussion>Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be in...Rule Medium Severity -
SRG-OS-000480
<GroupDescription></GroupDescription>Group -
Systems must be monitored for attempts to use local accounts to log on remotely from other systems.
<VulnDiscussion>Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a P...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.