{ "name": "stig_active_directory_service_2003", "date": "2011-05-20", "description": "This STIG is applicable to all Windows 2003 servers with the Windows Active Directory (AD). The settings required by each check will be applied to each Domain Controller running the AD directory service. The system must also be reviewed using the Windows 2003 (or 2003 R2) and the Active Directory Domain STIGs. Also, if a forest architecture is implemented, a security review using the Active Directory Forest STIG is required.", "title": "Active Directory Service 2003 Security Technical Implementation Guide (STIG)", "version": "2", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-12780", "title": "The Synchronize Directory Service Data user right must not be assigned to any account.", "description": "A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale.", "severity": "high" }, { "id": "V-14783", "title": "Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.", "description": "Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network or when SAMI data is included. ", "severity": "medium" }, { "id": "V-14789", "title": "Locally written (non-vendor) code used in AD operations must comply with the requirements of the Application STIG. \n", "description": "Unlike vendor programs that might be recovered by purchasing and\\or downloading a replacement copy, the lack of a backup for locally written (non-vendor) code could result in the inability to recover from inadvertent or malicious deletion or simple hardware failure. ", "severity": "medium" }, { "id": "V-14797", "title": "Anonymous access to the root DSE of a non-public directory must be disabled.", "description": "Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.\n", "severity": "low" }, { "id": "V-14798", "title": "Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. ", "description": "To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.\n", "severity": "high" }, { "id": "V-14820", "title": "PKI certificates (server and clients) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). ", "description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.", "severity": "high" }, { "id": "V-14831", "title": "The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.", "description": "- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability. \n", "severity": "low" }, { "id": "V-15488", "title": "For unclassified systems, the directory server must be configured to use the CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.", "description": "CTO 07-015 requires PKI authentication. PKI is a two-factor authentication technique, thus it provides a higher level of trust in the asserted identity than use of the username/password authentication technique.", "severity": "medium" }, { "id": "V-2370", "title": "The access control permissions for the directory service site group policy must be configured to use the required access permissions. ", "description": "When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.\n\nFor AD, the Group Policy and OU objects require special attention. In a distributed administration model (such as might be used with a help desk or other user support staff), Group Policy and OU objects are more likely to have access permissions changed from the secure defaults.\n\nIf inappropriate access permissions are defined for Group Policy Objects, it could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).\n\nIf inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.\n", "severity": "high" }, { "id": "V-2373", "title": "The Server Operators group must have the ability to schedule jobs by means of the AT command disabled.", "description": "This policy controls the ability of members of the local Server Operators group to schedule AT jobs. If disabled, only administrators can schedule jobs that use AT commands. Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs (SYSTEM by default). Non administrators who can schedule AT commands, thus have a means to elevate their privileges. Although this setting is disabled, Server Operators will still be able to schedule jobs using Task Scheduler.", "severity": "medium" }, { "id": "V-2376", "title": "The Kerberos policy option must be configured to enforce user logon restrictions.", "description": "This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default which is the most secure setting for validating access to target resources is not circumvented.", "severity": "medium" }, { "id": "V-2377", "title": "The Kerberos service ticket maximum lifetime must meet minimum standards.", "description": "This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.", "severity": "medium" }, { "id": "V-2378", "title": "The Kerberos policy option maximum lifetime for user ticket must be set to a maximum of 10 hours or less.", "description": "In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user’s initial authentication to the domain controller results in a TGT which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that startup under a specified user account, users must always get a TGT first, then get Service Tickets to all computers and services accessed. ", "severity": "medium" }, { "id": "V-2379", "title": "The Kerberos policy option Maximum lifetime for user ticket renewal must be configured for a maximum of 7 days or less.", "description": "This setting determines the period of time (in days) during which a users TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.", "severity": "medium" }, { "id": "V-2380", "title": "The Kerberos policy option Maximum tolerance for computer clock synchronization must be set to a maximum of 5 minutes or less. ", "description": "This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.", "severity": "medium" }, { "id": "V-26683", "title": "PKI certificates (user certificates) must be issued by the DoD PKI or an approved External Certificate Authority (ECA). \n\n", "description": "A PKI implementation depends on the practices established by the Certificate Authority to ensure that the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. ", "severity": "high" }, { "id": "V-27109", "title": "Access Control permissions on the FRS Directory data files do not have proper access permissions.", "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.", "severity": "medium" }, { "id": "V-27119", "title": "Access control permissions on the GPT directory files must comply with the required guidance.", "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n\nFor AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.", "severity": "high" }, { "id": "V-2906", "title": "A complex password filter must be installed and configured. ", "description": "Weak passwords are easly broken with readily available hacker tools. They can give an intruder access to the system with the privileges of the account whose password was broken.", "severity": "medium" }, { "id": "V-4408", "title": "The domain controller must be configured to allow reset of machine account passwords.", "description": "Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.", "severity": "low" }, { "id": "V-8316", "title": "Access control permissions on the AD database, log, and work files must conform to the required guidance. ", "description": "Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.\n", "severity": "high" }, { "id": "V-8317", "title": "The directory server data files must be located on a different logical partition from the data files owned by users. ", "description": "When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files that share a partition may be configured with less restrictive permissions in order to allow access to the user data. \n\nThe directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent that prevents the directory service from acquiring more space for directory or audit data.\n", "severity": "medium" }, { "id": "V-8320", "title": "Directory server directories and files must be configured with required permissions. ", "description": "Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way a directory server operates. This could lead to a compromise of the confidentiality, availability, and integrity of directory data.\n\nSome administration tool packages (such as the Windows Support Tools) include programs designed to perform updates on directory configuration and database data. Even though the directory data should be protected through file and object access permissions, allowing unauthorized access to administrative programs provides a potential attacker with tools that are already installed in the environment.", "severity": "medium" }, { "id": "V-8322", "title": "Install or enable time synchronization on the directory service server. ", "description": "- When a directory service that uses multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly.\n- The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a source of forensic evidence in an incident investigation.\n- In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.\n", "severity": "medium" }, { "id": "V-8324", "title": "The time synchronization tool must be configured to enable logging of time source switching.", "description": "When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or impossible to detect malicious activity or availability problems.", "severity": "low" }, { "id": "V-8326", "title": "The directory server supporting (directly or indirectly) system access or resource authorization, must run on a machine dedicated to that function. ", "description": "Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts that increase the attack surface of the computer. \n\nSome applications require the addition of privileged accounts that provide potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services that conflict with the directory server. In that case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.", "severity": "medium" }, { "id": "V-8327", "title": "OS services that are critical for directory server operation must be configured for automatic startup. \n", "description": "AD is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services are manually started. This could result in a failure to replicate data or to support client authentication and authorization requests.", "severity": "medium" } ] }