![adds active directory domain services adds active directory domain services](https://www.tactig.com/wp-content/uploads/2015/12/3.Server-Manager.jpg)
Systems with a categorization of low must be backed up weekly.įailure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or malicious corruption. If, because of operational necessity, this is not possible, lateral movement from these servers must be mitigated.Īctive Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Public facing servers should be in DMZs with separate Active Directory forests. Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.
#Adds active directory domain services windows
The domain functional level must be at a Windows Server version still supported by Microsoft.ĭomains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and forest as advanced features of the directory. In AD implementation using AD Sites, domain. Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. Inter-site replication must be enabled and configured to occur at least daily. Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack.Īccess to need-to-know information must be restricted to an authorized community of interest.īecause trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access control at the domain or forest level in which.
![adds active directory domain services adds active directory domain services](https://icdn.enterinit.com/wp-content/uploads/2016/12/26095645/winsrv2016adpt14.png)
Systems must be monitored for attempts to use local accounts to log on remotely from other systems. Monitoring for any Remote Desktop logins outside of expected. Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstations. Systems must be monitored for remote desktop logons. The Protected Users group provides extra protections to accounts such as. User accounts with domain level administrative privileges are highly prized in Pass-the-Hash/credential theft attacks. User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher. Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to. Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
![adds active directory domain services adds active directory domain services](https://sanuja.com/blog/wp-content/uploads/2019/09/winserver_add_roles_features_adds_11.jpg)
Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority. The Enterprise Admins group is a highly privileged group. Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. The Domain Admins group is a highly privileged group.
![adds active directory domain services adds active directory domain services](https://www.dtonias.com/wp-content/uploads/2018/01/add-another-domain-controller-active-directory-02.png)
Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. Allowing privileged accounts to be trusted for delegation provides a means for. Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. When a trust is defined.ĭelegation of privileged accounts must be prohibited. The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. To support secure access between resources of different classification levels, the.Ī controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. Findings (MAC III - Administrative Sensitive) Finding ID