D30. Windows 2003 Active Directory Security Baselines

Updated On: Apr-13 (Version 1.
0)
INTERNAL USE
PETRONAS
Windows 2003 Active
Directory Security
Baseline
PETRONAS Windows 2003 Active Directory Security Baseline
Updated On: Apr-13 (Version 1.0)
INTERNAL USE
DOCUMENT OWNER
Group Information Security and Risk Management
FEEDBACK AND COMMENTS

Feedback and comments on the contents of this document can be submitted to the
Document Owner. Alternatively, write in to the following address:
Group Information Security and Risk Management,
PETRONAS ICT
Level 16, Menara Perak,
No 24 Jalan Perak, 50450 Kuala Lumpur
Attn: Manager, Security & Risk Consulting
DOCUMENT CONTROL
Page No
Version /
Issue Date
INTERNAL USE
Nature of Amendments/Change
INTERNAL USE
Contents
1.
Introduction ......................................................................................... 5
2.
Procedures and Tools for The Review Process ........................................... 7
4.
Active Directory Domain Controller .......................................................... 8
5.
4.1.
Data / Program Access Control .......................................................... 8
4.2.
Time Synchronization Control ........................................................... 9
4.3.
Domain Controller Characteristics .................................................... 10
4.4.
AD Object Access Permissions and Auditing ...................................... 11
Active Directory Domain ...................................................................... 13

5.1.
Trust Relationships ........................................................................ 13
5.2.
Privileged Group Membership .......................................................... 15
5.3.
Other Domain Characteristics.......................................................... 17
6.
Active Directory Forest ........................................................................ 17
7.
APPENDIX A: OBJECT PERMISSIONS AND AUDIT SETTINGS ..................... 20
8.
APPENDIX D: DIRECTORY INFORMATION GATHERING ............................. 25
BASELINE CHECKLIST .................................................................................. 30
Page 4 of 35
INTERNAL USE
1. Introduction
This document describes the security baselines for Microsoft Windows Server
2003 Active Directory. The baselines consist of security standards and
configuration settings necessary to provides data security protection by
(1) Identifying and verifying users entering the system,
(2) Restricting access to protected resources to authorized users,
(3) Restricting the capabilities of authorized users, once they gain access to
protected resources, and
(4) Logging and reporting security-related events.
Purpose
The purpose of this document is to provide a common basis for security
management of Microsoft Windows Server 2003 at PETRONAS and does not leave
its interpretation to users.
Scope and Intended Audience

This security baseline applies to all employees, consultants, vendors, contractors,
students and others on any premises occupied by PETRONAS. Further, it also
includes all activities in development and implementation of security controls or
best practices to ensure that the Information Security objectives as outlined in
the PETRONAS Information Security Policy are achieved.
Adherence to these requirements and the security policies derived from them and
implementation of provisions is binding across the whole of PETRONAS, its
subsidiaries and majority holdings. Willful or negligent infringement of the policies
jeopardizes the interest of PETRONAS and will result in disciplinary, employment
and/or legal sanctions. In the case of the latter, the relevant line managers and
where applicable legal services shall bear responsibility.
There requirements and the security policies derived from them and
implementation provisions also apply to all suppliers of PETRONAS. They shall be
contractually bound to adhere to the security directives. If a contractual partner is
not prepared to adhere to the provisions, he must be bound in writing to assume
any resulting consequential damage.
As the baseline for operating system is technology dependent, the settings
described in this document are based on Microsoft Windows Server 2003, which is
currently in use in PETRONAS.
Definitions
Microsoft Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft.
Windows Server 2003 comes in a number of editions, each targeted towards a
particular size and type of business. In general, all variants of Windows Server
have the ability to share files and printers, act as an application server, and host
message queues, provide email services, authenticate users, act as an X.509
certificate server, provide LDAP directory services, serve streaming media, and to
perform other server-oriented functions.
The key words MUST, MUST NOT, SHOULD, and SHOULD NOT in this
document are to be interpreted as below:
MUST - This word, mean that the definition is an absolute requirement of
the specification.
MUST NOT - This phrase, mean that the definition is an absolute
prohibition of the specification.
Page 5 of 35
INTERNAL USE
SHOULD - This word, mean that there may exist valid reasons in particular
circumstances to ignore a particular item, but the full implications must be
understood and carefully weighed before choosing a different course.
SHOULD NOT - This phrase, mean that there may exist valid reasons in
particular circumstances when the particular behavior is acceptable or
even useful, but the full implications should be understood and the case
carefully weighed before implementing any behavior described with this
label.
References
This baseline complements a set of existing corporate IT security policies that are
listed below:
PETRONAS Information Security Policy
The abovementioned security policies might override this baseline; in that case,
pointers to the relevant policies are provided.
Page 6 of 35
INTERNAL USE
2. Procedures and Tools for The Review Process

This section of the Checklist describes the procedures to be used to conduct a
manual review for the Active Directory baseline requirements.
All of the AD domain and forest checks in this document are performed on a
Windows domain controller using a Windows account that is a member of the
Domain Admins security group. While it is possible to perform these checks
remotely, the documented procedures assume that the reviewer is using the
console of the domain controller. The checks for synchronization and maintenance
products require the input and assistance of the Administrator of the application.
A Windows account with administrative privileges for the application is required.
It is assumed that the reviewer is familiar with the tools and procedures
documented in the Windows Security Checklists. While the procedures in this
document are generally explicit, basic procedures such as the process for
checking file system ACLs are not documented.
The following tools are used during the review process and are available on all
Windows domain controllers:
- Windows Explorer
- Microsoft Management Console (MMC) Snap-ins:
- AD Users and Computers (dsa.msc)
- AD Domains and Trusts (domain.msc)
- AD Sites and Services (dssite.msc)
- Services (services.msc)
- Registry Editor
- Command Prompt Invocation:
- Shared resources (net share)
- Directory Service Query (dsquery.exe) - Win2K3
The following tool is used during the review process and is only available if the
Windows
Support Tools have been installed:
- Command Prompt Invocation:
- Support Tools Domain Manager (netdom.exe)
The following information should be available to accelerate the review process:
- AD trust relationship documentation [Appendix provides examples.]
- Lists of accounts assigned to AD privileged groups (Domain Admins, Enterprise
Admins,
Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust
Builders)
- List of accounts with the right to create AD objects (e.g., accounts, printers),
but that are not members of the built-in AD privileged groups
- Locations of AD domain controllers and AD sites, relative to the local Enclave
network
boundaries
- Location of the AD forest root PDC Emulator FSMO domain controller
- Presence of any Windows NT and Windows Server 2003 domain controllers
operating in the AD domain.
Page 7 of 35
INTERNAL USE
3. Active Directory Domain Controller

Notes: The checks in this section apply to assets with a Windows server OS and the
Domain Controller role and are performed for all domain controllers selected for
review in an AD domain. [This may be a sample of one or more domain controllers.]
3.1.
Data / Program Access Control

The checks in this section address access control for the AD data files and the
Windows Support Tools that may update those files.
a. DS00.0120 Directory Data File Access Permissions
Directory service data files do not have proper access permissions
(ACLs).
Checks:
Use Registry Editor to navigate to the following:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters.
Note the values for:
- DSA Database file
- Database log files path
- DSA Working Directory.
Using the noted locations, compare the ACLs of the AD database, log,
and work files to the specifications in Checklist appendix A.1.1.
If the actual permissions are not at least as restrictive as those in the
appendix,then this is a Finding.
HKLM\System\CurrentControlSet\Services\NtFrs\Parameters.
Note the value for: Working Directory.
Using the noted location, compare the ACL of the FRS directory to the
specifications in Checklist appendix A.1.1.
appendix,
then this is a Finding.
At a command line prompt enter net share.
Note the location for the SYSVOL share.
Using the noted location, compare the ACLs of the GPT directories
(GPT parent
and GPT Policies directories) to the specifications in Checklist appendix
A.1.1.
appendix,
b. DS10.0120 Support Tools Access Permissions

Page 8 of 35
INTERNAL USE
Windows Support Tools program files do not have proper access

permissions
(ACLs).
Checks:
Start Windows Explorer.
Right-click the My Computer item and select Search
- Enter Support* in the file name field.
- Select Local Hard Drives in the Look in: field.
- Click the Search button.
Record the location for the Support Tools directory.
Note: The SA may have installed the Support Tools in an alternate
location.
If the default directory is not found, ask the SA.
If the directory is not found and the SA confirms that the Support
Tools are not installed, then this check is Not Applicable.
Using the recorded location, compare the ACL of the Support
Tools directory to the specifications.
If the actual permissions are not at least as restrictive as those in
the appendix, then this is a Finding.
3.2.
Time Synchronization Control

The checks in this section address the need to ensure that the system clock on
domain controllers is synchronized and that changes to the time source are
logged.
a. DS00.0150 Time Synchronization
A time synchronization tool is not implemented on the directory server
(domain controller).
Checks:
Note: This check is Not Applicable on the forest root domain controller that
holds the PDC Emulator FSMO role. (See DS10.0295 for the equivalent for
that system.)
The following procedures check the Windows Time service. This is the
preferred time synchronization tool for Windows domain controllers.
A. Windows Server 2003 Procedures
HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders
\NtpClient.
If the value for Enabled is not 1, then this is a Finding.
HKLM\System\CurrentControlSet\Services\W32Time\Parameters.
If the value for Type is not NT5DS (preferred), NTP or
AllSync, then
this is a Finding.
Note: If these checks indicate a Finding because the NtpClient is not
enabled, ask the SA to demonstrate that an alternate time synchronization
tool is installed and enabled.
Page 9 of 35
INTERNAL USE
If the Windows Time service is not enabled and no alternate tool

is enabled, then this is a Finding.
b. DS00.0151 Time Synchronization Source Logging
The time synchronization tool does not log changes to the time source.
Checks:
The following procedures check the Windows Time service. This is the
preferred
time synchronization tool for Windows domain controllers.
HKLM\System\CurrentControlSet\Services\W32Time\Config.
If the value for EventLogFlags is not 2, then this is a Finding.
If the SA has demonstrated that an alternate time synchronization
tool is being used,
check to see if the tool can log time source changes. [Review the
available
configuration options and logs.] If the tool has that capability and it
is not enabled, then this is a Finding.
3.3.
Domain Controller Characteristics

The checks in this section address some miscellaneous characteristics that
affect the operational integrity of each domain controller.
a. DS10.0290 Windows Services Startup
Windows services that are critical for AD are not configured for automatic
startup.
Checks:
Start the Services console (Start, Run, services.msc)
Check the Startup Type field for the following:
Services on which Active Directory depends
Active Directory / LSA
Computer Browser
Distributed File System
File Replication Service
Kerberos Key Distribution Center
Net Logon
Remote Procedure Call (RPC)
Server
Windows Time
The settings only applicable to the services listed above. Apply the setting
to the services available to the respective server.
Services that require Active Directory services
Certificate Services (required for specific configurations)
DHCP Server (if so configured)
Distributed File System
Distributed Link Tracking Server (optional but on by default on Windows
2000 computers)
Page 10 of 35
INTERNAL USE
Distributed Transaction Coordinator

DNS Server (if so configured)
Fax Service (if so configured)
File Replication Service
File Server for Macintosh (if so configured)
Internet Authentication Service (if so configured)
License Logging (on by default)
Net Logon
Print Spooler
Remote Installation (if so configured)
Remote Procedure Call (RPC) Locator
Remote Storage Notification
Remote Storage Server
Routing and Remote Access
Server
Simple Mail Transfer Protocol (SMTP) (if so configured)
Terminal Services
Terminal Services Licensing
Terminal Services Session Directory
http://support.microsoft.com/kb/832017
If the Startup Type for any of these services is not Automatic, then this
is a Finding.
Note: The Windows Time service is not required *if* another time
synchronization tool is implemented.
3.4.
AD Object Access Permissions and Auditing

The checks in this section address access control and auditing for selected AD
objects in the AD database. Access permissions are examined for AD objects
including Group Policy Objects and Organizational Units. Auditing is examined
for AD objects including Group Policy Objects, Organizational Units, and
several other AD domain partition objects.
a. DS00.0130 Directory Data Object Access Control
Directory service data objects do not have proper access permissions

(ACLs). For AD this includes Group Policy Objects and Organizational Units
(OUs).
Checks:
A. Group Policy Object Procedures - Site Policies
Start the Active Directory Sites and Services console (Start, Run,
dssite.msc).
Select and expand the Sites item in the left pane.
For each AD site that is defined (building icon):
- Right-click the AD site and select the Properties item.
- On the site Properties window, select the Group Policy tab.
- For *each* Group Policy Object Link:
-- Select the Group Policy Object Link item
-- Select the Properties button.
-- On the site Group Policy Properties window, select the Security tab.
-- Compare the ACL of the site Group Policy to the specifications for Group Policy
Objects in Checklist appendix A.3.
Page 11 of 35
INTERNAL USE
If the actual permissions for any AD site object are not at least as restrictive as
those in the appendix, then this is a Finding.
Note: An AD instance may have no AD site Group Policies defined.
B. Group Policy Object Procedures - Default Domain & OU Policies
Start the Active Directory Users and Computers console (Start, Run,
dsa.msc). Ensure that the Advanced Features item on the View menu is
enabled.
Select the left pane item that matches the name of the domain being reviewed.
- Right-click the domain name and select the Properties item.
- On the domain Properties window, select the Group Policy tab and then
the
Properties button.
- On the Default Domain Policy Properties window, select the Security tab.
- Compare the ACL of the Default Domain Group Policy to the
specifications for
Group Policy Objects in Checklist appendix A.3.
If the actual permissions for the Default Domain Policy Group Policy object are
not at least as restrictive as those in the appendix, then this is a Finding.
Return to the initial console view.
For each OU that is defined (folder in folder icon):
- Right-click the OU and select the Properties item.
- On the OU Properties window, select the Group Policy tab.
- For *each* Group Policy Object Link:
-- Select the Group Policy Object Link item
-- Select the Properties button.
-- On the OU Group Policy Properties window, select the Security tab.
-- Compare the ACL of the OU Group Policy to the specifications for Group
Policy Objects in Checklist appendix A.3.
If the actual permissions for any OU Group Policy object are not at least as
restrictive as those in the appendix, then this is a Finding.
Note: Each domain has at least one OU that has a Group Policy. This will be the
Domain Controllers OU.
C. Organizational Unit Object Procedures
dsa.msc). Ensure that the Advanced Features item on the View menu is enabled.
For each OU that is defined (folder in folder icon):
- Right-click the OU and select the Properties item.
- On the OU Properties window, select the Security tab.
- Compare the ACL of the OU to the specifications for Organizational Unit
Objects in Checklist appendix A.3.
If the actual permissions for any OU object are not at least as restrictive as
those
in the appendix, then this is a Finding.
b.
DS10.0210 Synchronize Directory Service Data Right
The Synchronize Directory Service Data user right has been assigned to an
account.
Checks:
Page 12 of 35
INTERNAL USE
Use the procedures in Section Appendix, Using the Microsoft Management

Console,
of the Windows Checklist to start the Security Configuration and Analysis tool.
- Note: It is not necessary to use the customized template file for this check. Any
file that causes the Synchronize Directory Service Data Right to display is
sufficient.
Select and expand the Security Configuration and Analysis item in the left
pane.
Select and expand the Local Policies item in the left pane.
Select the User Rights Assignment item in the left pane.
Scroll down to the Synchronize Directory Service Data Right item in the right
pane.
Note the values indicated in the Computer Setting column.
If any accounts (including groups) are assigned the Synchronize Directory
Service Data Right, then this is a Finding.
4. Active Directory Domain

Notes: The checks in this section apply to Active Directory Domain assets and are
performed on only one domain controller per AD domain. Some of these checks
apply only to Windows Server 2003 and must be done on that platform.
These checks examine characteristics that apply to an entire Windows domain.
Because AD data is replicated among its domain controllers, performing these
checks on a single (up-to-date) domain controller is sufficient.
4.1.
Trust Relationships
The checks in this section address the AD trust relationships that are manually
created by Administrators. This includes external, forest, and realm trusts.
http://technet.microsoft.com/en-us/library/cc755321(WS.10).aspx
a. DS10.0100 Trust Relationship Documentation
Appropriate documentation is not maintained for each external, forest, and realm
AD trust relationship.
Checks:
Start the Active Directory Domains and Trusts console (Start, Run,
domain.msc).
- On the domain object Properties window, select the Trusts tab.
- For *each* outgoing and incoming external, forest, and realm trust,
record the
name of the other party (domain name), the trust type, transitivity, and
the trust
direction.
[Retain this trust information for use in subsequent checks.]
Compare the list of actual trusts with the local documentation maintained by
the
Administrator. [See note below.] For each trust the documentation must contain
type
(external, forest, or realm), name of the other party, trust direction (incoming
and\or outgoing), transitivity, status of the Selective Authentication option, and
status of the SID filtering option.
If an actual trust is not listed in the documentation or if any of the required items are
not documented, then this is a Finding.
Page 13 of 35
INTERNAL USE
b. DS10.0170 Trust Relationship Need

An external, forest, or realm AD trust relationship is defined where access
requirements do not support the need.
Checks:
Refer to the list of actual trusts obtained in check DS10.0100.
For each of the actual trusts, review the local documentation maintained by the
SA to confirm that the trust supports a known access requirement.
Note: The objective of this check is verification that there is a *current* need for
the trust to exist.
If it cannot be confirmed that each trust supports a known access requirement,
c. DS10.0190 SID Filtering Trust Option

An outgoing external or forest trust is configured without SID filtering.
Checks:
Note: Currently this check can only be performed using a command line program
(netdom.exe) that is installed with the Windows Support Tools. If they are not
installed, this check will be Not Reviewed.
domain.msc).
- For *each* outgoing external and forest trust:
-- At a command line prompt enter
netdom trust trusting-domain /D:trusted-domain /quarantine
where trusting-domain is the domain being reviewed
and trusted-domain is the other party to the trust.
If the output of the netdom commands indicates that SID filtering is not
enabled on every outgoing external or forest trust, then this is a Finding.
SOURCE :http://www.windowsitpro.com/article/resource-kit/sid-filtering.aspx
Configure SID Filtering
The administrator of the trusting domain applies SID filtering to filter out migrated SIDs
stored in SIDHistory from specific domains. For example, where an external trust
relationship exists so that the noam domain trusts the acquired domain, an administrator
of the noam domain can apply SID filtering to the acquired domain, which allows all SIDs
with a domain SID from the acquired domain to pass, but all other SIDs (such as those
from migrated SIDs stored in SIDHistory) to be discarded.
Requirements
Credentials: Domain Admins of trusting domain.
Tool: Netdom.exe (Support tools)
To apply SID filtering
Page 14 of 35
INTERNAL USE
1.Log on to the trusting domain with an account with domain administrator

credentials.
2.At the command prompt, type the following:
netdom /filtersids trusteddomain
where trusteddomain is the domain whose SIDs you want to filter. Press ENTER.
To remove SID filtering
1.Log on to the trusting domain with an account with domain administrator
credentials.
2.At the command prompt, type the following:
netdom /filtersids no trusteddomain
where trusteddomain is the trusted domain where you had previously applied SID
filtering, which you now want to remove. Press ENTER.
4.2.
Privileged Group Membership

The checks in this section address membership in Windows security groups
that have privileges with respect to AD data and administrative functions.
a. DS10.0220 Pre-Windows 2000 Compatible Access Membership
The Pre-Windows 2000 Compatible Access group includes the Everyone or
Anonymous Logon groups.
Checks:
dsa.msc).
Select and expand the left pane item that matches the name of the domain
being
reviewed.
- Select the Builtin item
- Double-click the Pre-Windows 2000 Compatible Access group and select
the
Members tab.
If the Anonymous Logon group or Everyone group is a member of the PreWindows 2000 Compatible group, then this is a Finding.
b. DS10.0240 Privileged Group Membership - Intra-Forest
The number of accounts is excessive or documentation does not exist for the
accounts that are members of the Domain Admins, Enterprise Admins, Schema
Admins, Group Policy Creator Owners, or Incoming Forest Trust Builders
groups.
Checks:
dsa.msc).
being
reviewed.
Select the Builtin container
- If the Incoming Forest Trust Builders group is defined:
Page 15 of 35
INTERNAL USE
-- Double-click on the group and select the Members tab

-- Count the number of accounts in the group
-- Compare the accounts in the group with the local documentation.
Select the Users container
- For each of the Domain Admins, Enterprise Admins, Schema Admins, and
Group Policy Creator Owners groups:
-- Count the number of accounts in the group
-- Compare the accounts in the group with the local documentation.
If an account in a highly privileged AD security group is not listed in the local
documentation, then this is a Finding.
If the number of accounts defined in a highly privileged AD security group is
greater than the number below, review the site documentation that justifies this
number.
- For the Enterprise Admins, Schema Admins, Group Policy Creator
Owners, and Incoming Forest Trust Builders groups, the number of
accounts should be between zero (0) and five (5).
Note: It is possible to move the highly privileged AD security groups out of the AD
Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or
Group Policy Creator Owners groups are not in the AD Users container, ask the SA
for the new location and use that location for this check.
c. DS10.0250 Privileged Group Membership - Inter-Forest

Accounts from another AD forest are members of Windows built-in administrative groups
and the other forest is not under the control of the same organization or subject to the
same security policies.
Checks:
dsa.msc).
being
reviewed.
Select the Users container
- For each of the Domain Admins, Enterprise Admins, Schema Admins, and
Group Policy Creator Owners groups:
-- Examine the defined accounts to see if they are from a domain that is
not in the forest being reviewed.
Select the Builtin container
- If the Incoming Forest Trust Builders group is defined:
-- Examine the defined accounts to see if they are from a domain that is
not in the forest being reviewed.
If any account in an administrative group is from a domain outside the forest
being reviewed and that outside forest is not maintained by the same
organization
(e.g., enclave) or subject to the same security policies, then this is a Finding.
Note: An account that is from an outside domain appears in the format
outsidedomainNetBIOSname\account or account@outside-domain-fully-qualifiedname.
Examples are AOFN21\jsmith or [email protected]. It may
be necessary to use the AD Domains and Trusts (domain.msc) console to
determine if the domain is from another AD forest.
Page 16 of 35
INTERNAL USE
Note: It is possible to move the highly privileged AD security groups out of the
AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins,
or Group Policy Creator Owners groups are not in the AD User container, ask the
SA for the new location and use that location for this check.
4.3.
Other Domain Characteristics

The checks in this section address some domain-wide characteristics that affect
the level of security within an AD domain.
a. DS10.0340 Domain Controller Availability
Only one domain controller supports an AD domain.
Checks:
Determine the MAC level information for the AD Domain asset.
If the MAC level of the AD Domain is III, this check is Not Applicable.
dsa.msc).
being
reviewed.
Select the Domain Controllers [OU] item in the left pane.
Count the number of computers (objects) in the Domain Controllers OU.
If there is only one domain controller for a MAC I or II level domain, then this is
a Finding.
* *Note:
What does MAC stand for and what is it?
MAC stands for Mission Assurance Category. There are essentially three MAC levels
(MAC I, II, and III) that can be assigned to a particular resource (that resource being: a
network, system, data, or any combination thereof) or control mechanism. The type and
amount of controls put in place to secure a resource depend on the MAC Level assigned
or designated, by the "owner" of that resource. The MAC levels determine the criticality
of a particular resource. MAC I is the highest level and it is the most critical. MAC I data,
systems and networks must have the proper controls implemented in order for those
resources to be recovered/restored within a matter of minutes and hours, as opposed to
MAC III resources which are considered less critical or Mission Essential and are allowed
several days to recover or restore operations during experienced
5. Active Directory Forest

Notes: The checks in this section apply to Active Directory Forest assets and
are performed on only one or two domain controllers per AD forest according
to forest configuration as follows:
- DS10.0230 applies only for Windows Server 2003 and must be done on that
platform.
- DS10.0295 applies only to the domain controller that holds the authoritative
time source
for the forest. When the Windows Time service is used, that is the root domain
controller that holds the PDC Emulator FSMO role.
The checks in this section address some forest-specific characteristics that
affect the level of security within an AD forest.
Page 17 of 35
INTERNAL USE
a. DS10.0230 dsHeuristics Option [Windows Server 2003 only]
The dsHeuristics option is not configured to prevent anonymous access to AD.

Checks:
Note: This check is Not Applicable for domains that contain no Windows Server 2003
domain controllers.
This check must be performed on a Windows Server 2003 domain controller.
At a command line prompt enter (on a single line):
dsquery * "cn=directory service,cn=windows nt,cn=services,
cn=configuration,dc=forest-name" -attr *
where forest-name is the fully qualified LDAP name of the
root of the domain being reviewed.
If the dsHeuristics attribute is listed, note the assigned value.
If the dsHeuristics attribute is defined and has a 2 in the seventh character,
then
this is a Finding.
Note: An example of the dsquery command for the vcfn.disaost.mil forest is:
dsquery * "cn=directory service,cn=windows nt,cn=services,
cn=configuration,dc=vcfn,dc=disaost,dc=mil" -attr *
Note: Examples of values that would be a Finding are: 0000002, 0010002,
0000002000001.
b. DS10.0295 Time Synchronization - Forest Authoritative Source

[Forest Root Domain PDC Emulator DC only]
The domain controller holding the forest authoritative time source is not
configured to use authorized external time source.
Checks:
Note: This check is Not Applicable for Component locations that do not have the AD
forest root domain on site.
This check must be performed on the domain controller in the *forest root domain* that
holds the PDC Emulator FSMO role.
The following procedures check the Windows Time service. This is the preferred time
synchronization tool for Windows domain controllers.
HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient.
If the value for Enabled is not 1, then this is a Finding.
If the value for Type is not NTP, then this is a Finding.
Note: If these checks indicate a Finding because the NtpClient is not enabled, ask the
SA to demonstrate that an alternate time synchronization tool is installed and enabled.
If the Windows Time service is not enabled and no alternate tool is enabled,
then
this is a Finding.
Page 18 of 35
INTERNAL USE
6. Active Directory User Account Policies

Workstation user account security policies settings
USER ACCOUNT POLICIES
Account lockout threshold
Account lockout duration
Reset account lockout counter after
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store password using reversible encryption for all
users in the domain
SETTINGS
12 invalid logon
attempts
15 minutes
15 minutes
6 passwords
remembered
90 days
1 day
8 characters
Enabled
Disabled
Page 19 of 35
INTERNAL USE
7. APPENDIX A: OBJECT PERMISSIONS AND AUDIT SETTINGS

This appendix of the Checklist provides requirements for compliance with the
Active Directory for the ACLs of Windows file, registry, and AD objects and for
audit settings for select AD objects.
A.1 File and Directory Permissions
The permissions in this section refer to the ACL of the specified directories or
files. Notes: It is generally acceptable for an objects access control to be more
restrictive than the settings specified in this document.
A.1.1 AD Data Permissions
AD Database, Log, and Work Files
Component Object
Account
Name
Database
\ntds.dit
Administrators
SYSTEM
CREATOR
OWNER*
Type
Access
Allow
Allow
Full Control
Full Control
Deny on Full
Control
[None
file]
on
Allow
Local Service*
Log files and
log reserve
files
\edb*.log,
\res1.log
\res2.log
Administrators
SYSTEM
Allow
Allow
Create
Folders /
Append Data
Full Control
Full Control
CREATOR
OWNER*
Deny on Full
Control
[None
file]
on
Allow
Local Service*
Work files
\temp.edb
\edb.chk
Administrators
SYSTEM
Allow
Allow
Create
Folders /
Append Data
Full Control
Full Control
CREATOR
OWNER*
Deny on Full
Control
[None
file]
on
Allow
Local Service*
Create
Folders /
Append Data
Page 20 of 35
INTERNAL USE
The permissions for the account names with an asterisk in the table are only
needed for Windows Server 2003.
FRS Directory
Component
FRS
directory
Object
\Ntfrs
GPT (SYSVOL) Directories

Component Object
GPT
parent
directory
\SYSVOL
Account
Name
Administrators
SYSTEM
Account
Name
Administrators
Authenticated
Users
CREATOR
OWNER
Type
Access
Allow
Allow
Full Control
Full Control
Type
Access
Allow
Allow
Full Control
Read, Read
&
Execute, List
Folder
Contents
Deny on Full
Control
[None
dir.]
on
Allow
Server
Operators
Allow
SYSTEM
GPT
policies
directory
\SYSVOL\
domain\Policies
Administrators
Authenticated
Users
CREATOR
OWNER
Allow
Allow
Deny on Full
Control
Allow
Group Policy
Creator
Owners
Allow
Server
Operators
SYSTEM
Allow
Read, Read
&
Execute, List
Folder
Contents
Full Control
Full Control
Read, Read
&
Execute, List
Folder
Contents
[None
dir.]
on
Read, Read
&
Execute, List
Folder
Contents,
Modify, Write
Read, Read
&
Execute, List
Folder
Contents
Full Control
Page 21 of 35
INTERNAL USE
A.1.2 Windows Support Tools Permissions

Object
\%ProgramFiles%\
Support Tools\
Account Name
Administrators
SYSTEM
Type
Allow
Allow
Access
Full Control
Full Control
[Other SA
groups]
Allow
Read, Execute
With
propagation
A.2 Registry Key Permissions

At this time there are no specific registry key permission checks for compliance
with the Active Directory Security Baselines.
It is assumed that the registry key permission checks in the applicable
Windows 2003 OS Security Checklist have been applied.
A.3 AD Object Permissions
The permissions in this section refer to the ACL of the specified AD database
objects.
Notes: It is generally acceptable for an objects access control to be more
restrictive than the settings specified in this document.
Group Policy Objects
Object
Account Name
[Group
Administrators
Policy
Creator Owner
-e.g.,
SYSTEM
Default
ENTERPRISE
Domain] DOMAIN
CONTROLLERS*
Authenticated
Users
[or other user
groups]
Type
Allow
Allow
Allow
Allow
Access
Full Control
Full Control
Full Control
Read
Allow
Read
Apply Group
Policy
Notes: Groups containing authenticated users (such as the Authenticated Users

group), other locally created user groups, and individual users *may* have the
Read and Apply Group Policy permissions set to Allow or Deny.
- The Anonymous Logon, Guests, or any group that contains those groups (in
which users are not uniquely identified and authenticated) must *not* have
any access permissions unless the group and justification is explicitly
documented with the SA.
- Other access permissions that allow the objects to be *updated* are
considered findings unless specifically documented by the SA.
- The permissions for the account names with an asterisk in the table are only
needed for Windows Server 2003.
Page 22 of 35
INTERNAL USE
Organizational Unit (OU) Objects

Object
[Organizational
Unit
- e.g., Domain
Controllers]
Account Name
Administrators
Creator Owner
SYSTEM
Authenticated
Users
[or other user
groups]
Type
Allow
Allow
Allow
Allow
Access
Full Control
Full Control
Full Control
Read
Note:
Other User
Groups in this
context mean
supporting group
such as Helpdesk
Accounts or
Service Accounts
that fall under
same category.
If an SA-approved distributed administration model [help desk or other user
support staff] is implemented, permissions above Read may be allowed for
groups documented by the SA.
A.4 AD Object Audit Settings
The audit settings in this section refer to the settings of the specified AD
database objects.
Notes: It is generally acceptable for an objects audit settings to be more
inclusive than the settings specified in this document.
Group Policy Objects [Includes Site, Default Domain, and OU GPOs]
Type
Account
Access
Scope
Fail
Everyone
[All
access Object and all child
types]
objects
Success Everyone
Modify
groupPolicyContainer
Permissions
objects
Write
All
Properties
Note: The best method of applying audit settings for all the Group Policy
Objects is by configuring the settings on the Policies container (within the
domains System container) and specifying inheritance.
Domain Object
Type
Account
Fail
Everyone
Success
Everyone
Access
[All
access
types]
Write
All
Properties
Modify
Scope
Domain
only
Domain
only
object
object
Page 23 of 35
Success
Administrators
Success
Domain Users
Infrastructure Object
Type
Account
Fail
Everyone
Success
Everyone
AdminSDHolder Object
Type
Account
Fail
Everyone
Success
Everyone
RID Manager$ Object

Type
Account
Fail
Everyone
Success
Everyone
INTERNAL USE
Permissions
Modify Owner
All
Extended
Rights
All
Extended
Rights
Everyone
Success
Everyone
object
object
Access
[All
access
types]
All
Extended
Rights
Write
All
Properties
Scope
Infrastructure
object only
Infrastructure
object only
Access
[All
access
types]
Modify
Permissions
Modify Owner
Write
All
Properties
Scope
AdminSDHolder
object only
AdminSDHolder
object only
Access
[All
types]
Scope
RID
Manager$ object
only
RID
Manager$ object
only
access
All
Extended
Rights
Write
All
Properties
Domain Controllers OU Object

Type
Account
Access
Fail
Everyone
[All
types]
Success
Domain
only
Domain
only
access
Modify
Permissions
Modify Owner
Create All Child
Objects
Delete
Delete All Child
Objects
Delete Subtree
Write
All
Properties
Scope
Domain
Controllers OU
and all child
objects
Domain
Controllers OU
only
Domain
Controllers OU
and all child
objects
Page 24 of 35
INTERNAL USE
8. APPENDIX D: DIRECTORY INFORMATION GATHERING

This appendix of the Checklist describes tools and methods that could be used
to gather directory information. This is certainly not an exhaustive list. It is
intended to point out some of the simpler and less invasive tools that are
available. Although multiple tools are described, the emphasis is on the
simplest command line tools and methods.
D.1 Active Directory

The tools and processes in this section are used to gather information about
Active Directory implementations. SAs may consider compiling some of these
tools into batch scripts that could be used to automate information gathering
for their specific environment.
Note: Some of the procedures described here require that the user performing
the actions is a member of the Domain Admins security group.
Note: Some of the tools described here require specific Windows releases or
the installation of additional programs:
- Methods that are identified with Windows Server 2003 use programs that
are present on domain controllers that are running that release or later.
- Methods that are identified with Windows Support Tools use programs that
are installed with the Windows Support Tools optional component. Although
present on the OS server installation CD, these programs are not installed by
default.
- Methods that are identified with Script use the Windows Script Host (WSH)
to execute scripts written in the Microsoft Visual Basic Scripting Edition
(VBScript) language. The scripts invoke the Active Directory Service Interfaces
(ADSI) components to get information from AD. These components are present
on all Windows 2000 and later releases, but it is possible that the execution of
VBScript scripts is restricted or disabled on individual machines.
D.1.1 Identifying Domain Controllers

The following are methods to get a list of all the domain controllers in a domain.
Method 1: Microsoft Management Console
a. Start the Active Directory Users and Computers console (Start, Run,
dsa.msc).
b. Select and expand the left pane item that matches the name of the domain
being reviewed.
c. Select the Domain Controllers OU.
d. Each domain controller is represented as an object in this OU.
Notes: This method assumes that domain controller computers are members of
the Domain Controllers OU. This is the default AD configuration and Microsoft
recommends strongly against changing it.
Method 2: Windows "net" Command
a. Open a Command Prompt window (Start, Run, cmd.exe).
b. Enter net group "domain controllers".
c. Each domain controller will be listed as a member of the OU.
Notes: This method assumes that domain controller computers are members of
the Domain Controllers OU. This is the default AD configuration and Microsoft
recommends strongly against changing it.
Method 3: Windows Server 2003 "dsquery" command
b. Enter dsquery server
c. The distinguished name of each domain controller will be listed.
Page 25 of 35
INTERNAL USE
Method 4: Windows Support Tools "netdom" command

b. Enter netdom query dc
c. The host name for each domain controller will be listed.
D.1.2 Determining Immediate Domain Structure

The following are methods to determine the name of the current domain and
the forest root domain. The current domain is the AD domain to which the
logged-on user has been authenticated. Information is obtained by querying
the AD database on the domain controller.
dsa.msc).
b. By default the current domain will be listed in the left pane.
c. Start the Active Directory Domains and Trusts console (Start, Run,
domain.msc).
d. The left pane will contain an icon for each domain that represents the root of
an item in the AD hierarchy. Expand each node in the left pane to locate the
domain name obtained from the Active Directory Users and Computers console.
This will display the relationship of the current domain to its root domain.
Method 2: Script
a. Create a script file (optionally named dir\AD_List_DomNames.vbs) with the
following
contents:
'List AD Domain Names - "Current" \ Forest Root

'
Option Explicit
Dim strAD_objdata
Dim objRootDSE
Dim strDefNC, strRootNC
Dim strdnsHostName
Dim strCurrDom, strRootDom
'
'Get "Current" Domain Name
Set objRootDSE = GetObject("LDAP://rootDSE")
strDefNC = objRootDSE.Get("defaultNamingContext")
'Get "Current" DC
strdnsHostName = objRootDSE.Get("dnsHostName")
'
'Get Root Domain Name
strRootNC = objRootDSE.Get("rootDomainNamingContext")
'
Display the results
strAD_objdata = "Domain Name Data: "
strAD_objdata = strAD_objdata & vbcrlf & "- Root Domain: " & strRootNC
strAD_objdata = strAD_objdata & vbcrlf & "- ""Current"" Domain: " & strDefNC
strAD_objdata = strAD_objdata & vbcrlf
strAD_objdata = strAD_objdata & vbcrlf & """Current"" Domain DC: "
strAD_objdata = strAD_objdata & vbcrlf & "- HostName: " & strdnsHostName
'
Page 26 of 35
INTERNAL USE
wscript.echo strAD_objdata
b. Open a Command Prompt window (Start, Run, cmd.exe).

c. Execute the script file:
wscript dir\AD_List_DomNames.vbs
d. The following items will be displayed in a dialog box:
- The distinguished name of the forest root domain
- The distinguished name of the current domain
- The fully qualified host name of the domain controller where the query was
performed.
Note: Execution of this script does not require special privileges beyond user
authentication.
Any user who has logged on to the domain can execute this script.
Method 3: Windows Support Tools "ldp" command
a. Start the ldp utility (Start, Run, ldp.exe).
b. From the Connection menu item, select Connect
- Leaving the Server field blank on the Connect dialog results in a connection
to the current
domain controller.
c. Scan the RootDSE information in the right pane:
- Find the defaultNamingContext entry.
-- The value for this entry is the distinguished name of the current domain.
- Find the rootDomainNamingContext entry.
-- The value for this entry is the distinguished name of the forest root domain.
d. Exit the ldp utility (Connection | Exit).
Note: This use of the ldp (or other LDAP-capable) utility does not, by itself,
require special
privileges. Any user who has network access to a domain controller and access
to an LDAP
utility can execute this particular query.
D.1.3 Identifying Holders of FSMO Roles

The following are methods to determine the names of the domain controllers
that hold FSMO roles in the domain. Depending on the size of the AD
implementation, it is typical for one domain controller to host multiple FSMO
roles.
- The RID Master, PDC Emulator, and Infrastructure Master roles must be
present on a domain controller in each AD domain.
- The Domain Naming Master and Schema Master roles must be present on a
domain controller in each AD forest.
dsa.msc).
b. Right-click the left pane item that matches the name of the domain being
reviewed.
c. Select the Operations Masters menu item.
d. The fully qualified host name(s) of the domain controller(s) holding the RID
Master, PDC
Emulator, and Infrastructure Master are displayed in the Operations master
text boxes on
the respective tabs of the Operations Masters dialog.
e. Select the Close (2003) or Cancel (2000) button to terminate the Operations
Masters dialog.
Page 27 of 35
INTERNAL USE
f. Start the Active Directory Domains and Trusts console (Start, Run,
domain.msc).
g. Right-click the Active Directory Domains and Trusts item in the left pane.
h. Select the Operations Master menu item.
i. The fully qualified host name of the domain controller holding the Domain
Naming Master
FSMO role is displayed in the Domain naming operations master text box.
j. Select the Close button to terminate the Operations Master dialog.
k. Start a management console that is configured with the Active Directory
Schema snap-in.
(Start, Run, console-name.msc).
Note: This console must be manually configured and might only be configured
on one server
in the forest.
l. Right-click the Active Directory Schema item in the left pane.
m. Select the Operations Master menu item.
n. The fully qualified host name of the domain controller holding the Schema
Master FSMO
role is displayed in the Current schema master (2003) or Current operations
master
(2000) text box.
o. Select the Close (2003) or Cancel (2000) button to terminate the Schema
Master dialog.
Method 2: Script
a. Create a script file (optionally named dir\AD_List_FSMOInfo.vbs) with the
following
contents:
'List FSMO Role Holders

'
Option Explicit
Dim strAD_objdata
Dim objRootDSE, objSchemaNC, objConNC, objDefNC, objRIDC, objInfC
Dim objNTDS, objServer
Dim strSchNC, strSchCont, strSch_FSMO
Dim strConNC, strConCont, strDN_FSMO
Dim strDefNC, strDefCont, strPDCE_FSMO
Dim strRIDCont, strRID_FSMO
Dim strInfCont, strInf_FSMO
'
Set objRootDSE = GetObject("LDAP://rootDSE")
'
' Get Forest Schema Master
strSchNC = objRootDSE.Get("SchemaNamingContext")
Set objSchemaNC = GetObject("LDAP://" & strSchNC)
strSchCont = objSchemaNC.Get("fsmoRoleOwner")
Set objNTDS = GetObject("LDAP://" & strSchCont)
Set objServer = GetObject(objNTDS.Parent)
strSch_FSMO = objServer.Get("dnsHostName")
'
' Get Forest Domain Naming Master
strConNC = objRootDSE.Get("ConfigurationNamingContext")
Set objConNC = GetObject("LDAP://CN=Partitions," & strConNC)
strConCont = objConNC.Get("fsmoRoleOwner")
Set objNTDS = GetObject("LDAP://" & strConCont)
strDN_FSMO = objServer.Get("dnsHostName")
'
' Get Domain PDC Emulator
Page 28 of 35
INTERNAL USE
strDefNC = objRootDSE.Get("defaultNamingContext")
Set objDefNC = GetObject("LDAP://" & strDefNC)
strDefCont = objDefNC.Get("fsmoRoleOwner")
Set objNTDS = GetObject("LDAP://" & strDefCont)
strPDCE_FSMO = objServer.Get("dnsHostName")
'
' Get RID Master
Set objRIDC = GetObject("LDAP://CN=RID Manager$,CN=System," &
strDefNC)
strRIDCont = objRIDC.Get("fsmoRoleOwner")
Set objNTDS = GetObject("LDAP://" & strRIDCont)
strRID_FSMO = objServer.Get("dnsHostName")
'
' Get Infrastructure Master
Set objInfC = GetObject("LDAP://CN=Infrastructure," & strDefNC)
strInfCont = objInfC.Get("fsmoRoleOwner")
Set objNTDS = GetObject("LDAP://" & strInfCont)
strInf_FSMO = objServer.Get("dnsHostName")
'
'Display all FSMOs
strAD_objdata = "FSMO Role Holder Data: "
strAD_objdata = strAD_objdata & vbcrlf & "- Schema Master:" & vbtab & vbtab
& strSch_FSMO
strAD_objdata = strAD_objdata & vbcrlf & "- Domain Naming Master:" & vbtab
& strDN_FSMO
strAD_objdata = strAD_objdata & vbcrlf & "- PDC Emulator:" & vbtab & vbtab
& strPDCE_FSMO
strAD_objdata = strAD_objdata & vbcrlf & "- RID Master:" & vbtab & vbtab &
strRID_FSMO
strAD_objdata = strAD_objdata & vbcrlf & "- Infrastructure Master:" & vbtab &
strInf_FSMO
'
wscript.echo strAD_objdata
b. Open a Command Prompt window (Start, Run, cmd.exe).

c. Execute the script file:
wscript dir\AD_List_FSMOInfo.vbs
d. The fully qualified host names for each of the domain controllers holding a
FSMO role will
be displayed in a dialog box.
Note: Execution of this script does not require special privileges beyond user
authentication.
Any user who has logged on to the domain can execute this script.
Method 3: Windows Support Tools "netdom" command
b. Enter netdom query fsmo
c. The fully qualified host names for each of the domain controllers holding a
FSMO role will
be displayed.
Method 4: Windows Server 2003 "dsquery" command
b. Enter dsquery server -hasfsmo fsmo-role for each role,
where fsmo-role is rid, pdc, infr, name, and schema.
c. The distinguished name for the domain controller holding the specified FSMO
role will bedisplayed.
Page 29 of 35
INTERNAL USE
BASELINE CHECKLIST
No.
Baseline Setting
Value/Conditions
a)\ntds.dit
The settings only applicable to the 4 user group or individual with similar access
rights. Apply the setting to the user(s)/group(s) that available.
Administrators = Full Control

SYSTEM = Full Control
CREATOR OWNER* = Deny Access
Local Service* = Create Folders /Append Data
b)\edb*.log,
\res1.log
\res2.log
DS00.0120 Directory Data File Access Permissions
4.1a
* The permissions for the additional account names with

an asterisk in the table are only needed for Windows
Server 2003.

Local Service* = Create Folders / Append Data
c)\temp.edb
\edb.chk

Local Service* = Create Folders /Append Data
Page 30 of 35
Comply
(Y/N)
Remarks
(if not comply)
No.
4.2a
Baseline Setting
DS10.0120 Support Tools Access Permissions
4.1b
INTERNAL USE
* The permissions for the additional account names with

an asterisk in the table are only needed for Windows
Server 2003.
DS00.0150 Time Synchronization
Value/Conditions
\%ProgramFiles%\Support Tools\

*CREATOR OWNER = Deny Access
[Other SA groups] = Read, Execute

The value for Enabled is 1
The value for Type is NT5DS (preferred), NTP or AllSync
HKLM\System\CurrentControlSet\Services\W32Time\Config.
The value for EventLogFlags is 2
4.2b
4.3a
DS00.0151 Time Synchronization Source Logging
DS10.0290 Windows Services Startup
If the SA has demonstrated that an alternate time synchronization tool is being used,
check to see if the tool can log time source changes. [Review the available
configuration options and logs.] If the tool has that capability and it is not enabled,
then this is a non-comply.
Active Directory / LSA = Automatic
Computer Browser = Automatic
Distributed File System = Automatic
File Replication Service = Automatic
Kerberos Key Distribution Center = Automatic
Net Logon = Automatic
Remote Procedure Call (RPC) = Automatic
Server = Automatic
Windows Time = Automatic
Page 31 of 35
Comply
(Y/N)
Remarks
(if not comply)
No.
INTERNAL USE
Baseline Setting
Value/Conditions
Group Policy : Default Domain
Creator Owner = Full Control
ENTERPRISE DOMAIN CONTROLLERS* = Read
Authenticated Users[or other user groups] = Read & Apply Group Policy
4.4a
DS00.0130 Directory Data Object Access Control
4.4b
DS10.0210 Synchronize Directory Service Data Right
5.1a
DS10.0100 Trust Relationship Documentation
5.1b
DS10.0170 Trust Relationship Need
Notes: Groups containing authenticated users (such as the Authenticated Users group),
other locally created user groups, and individual users *may* have the Read and
Apply Group Policy permissions set to Allow or Deny.
Open MMC
Select and expand the Security Configuration and Analysis item in the left
pane.
Select and expand the Local Policies item in the left pane.
Select the User Rights Assignment item in the left pane.
Scroll down to the Synchronize Directory Service Data Right item in the right
pane.
Note the values indicated in the Computer Setting column.
Remove any accounts (including groups) are assigned the Synchronize Directory
Service Data Right. (default: NONE)
Compare the list of actual trusts with the local documentation maintained by the
Administrator.
Supporting document available for an external, forest, or realm AD trust relationship
is defined where access requirements support the need.
Page 32 of 35
Comply
(Y/N)
Remarks
(if not comply)
No.
5.1c
INTERNAL USE
Baseline Setting
Value/Conditions
domain.msc).
- For *each* outgoing external and forest trust:
-- At a command line prompt enter
netdom trust trusting-domain /D:trusted-domain /quarantine
where trusting-domain is the domain being reviewed
and trusted-domain is the other party to the trust.
DS10.0190 SID Filtering Trust Option
To Enable SID Filtering

netdom /filtersids trusteddomain
5.2a
DS10.0220 Pre-Windows
Membership
2000
Compatible
Access
5.2b
DS10.0240 Privileged Group Membership - Intra-Forest
5.2c
DS10.0250 Privileged Group Membership - Inter-Forest
5.3a
DS10.0340 Domain Controller Availability
5.3b
DS10.0230 dsHeuristics Option [Windows Server 2003

only]
At the Active Directory Users and Computers console, Builtin item

- Double-click the Pre-Windows 2000 Compatible Access group and select the
Members tab.
If the Anonymous Logon group or Everyone group is a member of the PreWindows 2000 Compatible group, remove the group(s).
The number of accounts as permissible for
For the Enterprise Admins, Schema Admins, Group Policy Creator Owners, and
Incoming Forest Trust Builders groups : between zero (0) and five (5).
Supporting Documents for the accounts that are members of the Domain Admins,
Enterprise Admins, Schema Admins, Group Policy Creator Owners, or Incoming
Forest Trust Builders groups.
Windows built-in administrative groups and the other forest is under the control of
the same organization or subject to the same security policies, should not have
accounts from another AD forest.
At least one Backup Domain Controller supports an current AD domain. The If the
MAC level of the AD Domain is MAC I or MAC II
The dsHeuristics option is configured to prevent anonymous access to AD.
dsHeuristics attribute defined should not has a 2 in the seventh character
Page 33 of 35
Comply
(Y/N)
Remarks
(if not comply)
No.
INTERNAL USE
Baseline Setting
Value/Conditions
The domain controller holding the forest authoritative time source is configured to
use authorized external time source or reliable source.
5.3c
DS10.0295 Time Synchronization - Forest Authoritative

Source
The value for Enabled should set to 1
The value for Type should set to NTP
6.0
USER ACCOUNT POLICIES
Account lockout threshold
SETTINGS
12 invalid logon attempts
Account lockout duration
15 minutes
Reset account lockout counter after
15 minutes
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store password using reversible encryption for all

users in the domain
6 passwords remembered
90 days
1 day
8 characters
Enabled
Disabled
Page 34 of 35
Comply
(Y/N)
Remarks
(if not comply)
INTERNAL USE
Task Details:
Date:
Server/Workstation/Device Details:
IP Address:
Hostname:
Remarks:
Implemented
By:
Verified By:
Signature:
Signature:
Name:
Name:
Date:
Date:
Page 35 of 35

D30. Windows 2003 Active Directory Security Baselines

Uploaded by

Copyright:

Available Formats

D30. Windows 2003 Active Directory Security Baselines

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D30. Windows 2003 Active Directory Security Baselines

Uploaded by

Copyright:

Available Formats

Updated On: Apr-13 (Version 1.

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

FEEDBACK AND COMMENTS

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

Procedures and Tools for The Review Process ........................................... 7

Active Directory Domain Controller .......................................................... 8

Data / Program Access Control .......................................................... 8

Time Synchronization Control ........................................................... 9

Domain Controller Characteristics .................................................... 10

AD Object Access Permissions and Auditing ...................................... 11

Active Directory Domain ...................................................................... 13

Trust Relationships ........................................................................ 13

Privileged Group Membership .......................................................... 15

Other Domain Characteristics.......................................................... 17

Active Directory Forest ........................................................................ 17

APPENDIX A: OBJECT PERMISSIONS AND AUDIT SETTINGS ..................... 20

APPENDIX D: DIRECTORY INFORMATION GATHERING ............................. 25

BASELINE CHECKLIST .................................................................................. 30

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

Scope and Intended Audience

Updated On: Apr-13 (Version 1.0)

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

2. Procedures and Tools for The Review Process

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

3. Active Directory Domain Controller

Data / Program Access Control

b. DS10.0120 Support Tools Access Permissions

Updated On: Apr-13 (Version 1.0)

Windows Support Tools program files do not have proper access

Time Synchronization Control

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

If the Windows Time service is not enabled and no alternate tool

Domain Controller Characteristics

PETRONAS Windows 2003 Active Directory Security Baseline

Updated On: Apr-13 (Version 1.0)

Distributed Transaction Coordinator

AD Object Access Permissions and Auditing

Directory service data objects do not have proper access permissions

Updated On: Apr-13 (Version 1.0)

DS10.0210 Synchronize Directory Service Data Right

Updated On: Apr-13 (Version 1.0)

Use the procedures in Section Appendix, Using the Microsoft Management

4. Active Directory Domain

Updated On: Apr-13 (Version 1.0)

b. DS10.0170 Trust Relationship Need

c. DS10.0190 SID Filtering Trust Option

Updated On: Apr-13 (Version 1.0)

1.Log on to the trusting domain with an account with domain administrator

Privileged Group Membership

Updated On: Apr-13 (Version 1.0)

-- Double-click on the group and select the Members tab