| Checked | Name | Title |
|---|
| ☐ | SV-9018r3_rule | User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. |
| ☐ | SV-30991r3_rule | A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. |
| ☐ | SV-30994r3_rule | If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). |
| ☐ | SV-30996r3_rule | Active Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high. |
| ☐ | SV-30995r4_rule | Active Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high. |
| ☐ | SV-31214r2_rule | The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented. |
| ☐ | SV-30989r3_rule | Each cross-directory authentication configuration must be documented. |
| ☐ | SV-9030r2_rule | Access to need-to-know information must be restricted to an authorized community of interest. |
| ☐ | SV-9031r2_rule | Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. |
| ☐ | SV-9033r2_rule | A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. |
| ☐ | SV-9035r3_rule | Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. |
| ☐ | SV-9037r3_rule | Selective Authentication must be enabled on outgoing forest trusts. |
| ☐ | SV-9044r3_rule | The Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group. |
| ☐ | SV-9045r3_rule | Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited. |
| ☐ | SV-31557r2_rule | Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups. |
| ☐ | SV-9048r4_rule | The domain functional level must be at a Windows Server version still supported by Microsoft. |
| ☐ | SV-30992r3_rule | Inter-site replication must be enabled and configured to occur at least daily. |
| ☐ | SV-31547r3_rule | Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly. |
| ☐ | SV-32179r3_rule | The Directory Service Restore Mode (DSRM) password must be changed at least annually. |
| ☐ | SV-32648r2_rule | Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. |
| ☐ | SV-47837r2_rule | Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. |
| ☐ | SV-47838r2_rule | Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. |
| ☐ | SV-47839r2_rule | Administrators must have separate accounts specifically for managing domain member servers. |
| ☐ | SV-47840r2_rule | Administrators must have separate accounts specifically for managing domain workstations. |
| ☐ | SV-47841r2_rule | Delegation of privileged accounts must be prohibited. |
| ☐ | SV-47844r5_rule | Local administrator accounts on domain systems must not share the same password. |
| ☐ | SV-56469r2_rule | Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. |
| ☐ | SV-56473r2_rule | Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers. |
| ☐ | SV-56533r4_rule | Usage of administrative accounts must be monitored for suspicious and anomalous activity. |
| ☐ | SV-56534r4_rule | Systems must be monitored for attempts to use local accounts to log on remotely from other systems. |
| ☐ | SV-56535r4_rule | Systems must be monitored for remote desktop logons. |
| ☐ | SV-56889r2_rule | Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days. |
| ☐ | SV-67945r1_rule | Domain controllers must be blocked from Internet access. |
| ☐ | SV-87467r1_rule | All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days. |
| ☐ | SV-92837r3_rule | User accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher. |
| ☐ | SV-102373r1_rule | Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation. |
STIGQter: STIG Summary: