STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.

DISA Rule

SV-30991r3_rule

Vulnerability Number

V-8522

Group Title

Directory Service Inter-Enclave VPN Usage

Rule Version

DS00.1140_AD

Severity

CAT II

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

Implement a VPN or other network protection solution in accordance with the Network Infrastructure STIG that protects AD data in transit across DoD enclave boundaries.

Check Contents

1. Review the site's network diagram(s) to determine if domain controllers for the domain are located in multiple enclaves. The object is to determine if network traffic is traversing enclave network boundaries.

2. Request information about RODC or ADAM instances are installed. In particular, request details of Active Diretory functionality installed or extended into the DMZ or configured/allowed to cross the sites outbound firewall boundary. Ensure communications and replication traffic is encrypted.

3. If domain controllers are not located in multiple enclaves, then this check is not applicable.

4. If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the network traffic (replication, user logon, queries, etc.).

5. If a VPN solution is not used to transport directory network traffic across enclave boundaries, then this is a finding.

6. If the ADAM mode is in use and a migration plan for converting to RODC is not in place, then this is a finding.

Vulnerability Number

V-8522

Documentable

False

Rule Version

DS00.1140_AD

Severity Override Guidance

1. Review the site's network diagram(s) to determine if domain controllers for the domain are located in multiple enclaves. The object is to determine if network traffic is traversing enclave network boundaries.

2. Request information about RODC or ADAM instances are installed. In particular, request details of Active Diretory functionality installed or extended into the DMZ or configured/allowed to cross the sites outbound firewall boundary. Ensure communications and replication traffic is encrypted.

3. If domain controllers are not located in multiple enclaves, then this check is not applicable.

4. If domain controllers are located in multiple enclaves, verify that a VPN is used to transport the network traffic (replication, user logon, queries, etc.).

5. If a VPN solution is not used to transport directory network traffic across enclave boundaries, then this is a finding.

6. If the ADAM mode is in use and a migration plan for converting to RODC is not in place, then this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Manager

Target Key

870

Comments