UNCLASSIFIED

ACTIVE DIRECTORY DOMAIN STIG

REVISION HISTORY

Version 3, Release 5

13 September 2024

Developed by DISA for the DOD

UNCLASSIFIED
 UNCLASSIFIED
Active Directory Domain STIG Revision History, V3R5 DISA
13 September 2024 Developed by DISA for the DOD

REVISION HISTORY
Revision Document
Description of Change Release Date
Number Revised
V3R5 - Active - AD.0014 - Removed requirement based on 13 September 2024
Directory NIST SP 800-53 Rev. 5 changes.
Domain - AD.0016 - Updated the CCI to CCI-000366.
STIG V3R4 - AD.0205 - Added requirement that Windows
Server domain controllers must have Kerberos
logging enabled with servers hosting Active
Directory Certificate Services.
- DS00.7100_AD - INFOCON was replaced by
Cyber Protection Conditions (CPCON) with the
release of USSCI 5200-13. Updated Rule Title,
Discussion, Check, and Fix.
- Rule numbers updated throughout due to
changes in content management system.
V3R4 - Active - AD.0160 - Updated Check and Fix with domain 15 May 2024
Directory functional level of 2016.
Domain - AD.0014, AD.0016 - Rule numbers updated
STIG V3R3 due to changes in content management system.
V3R3 - Active - AD.0170 - In Check, revised V-8530 reference 11 May 2023
Directory to V-243494.
Domain - AD.0190 - In Check, revised, “If the trust type
STIG V3R2 is External, run the following command on the
trusting domain” to “Access a command line and
run the following command on the trusting
domain”.
V3R2 - Active - AD.0016 - Updated hyperlinks in Check and Fix 14 November 2022
Directory text.
Domain - Some Rule IDs updated due to minor changes
STIG V3R1 in content management system.
V3R1 - Active - DISA migrated the STIG to a new content 01 November 2021
Directory management system, which renumbered all
Domain Groups (V-numbers) and Rules (SV-numbers).
STIG With the new Group and Rule numbers, DISA
V2R13 incremented the version number from V2R13 to
V3R1.
- AD.0008 - Updated Fix to highly recommend
use of Microsoft’s Local Administrator Password
Solution (LAPS), and AO can approve other
solutions.
V2R13 - Active - V-92285 - Added requirement to prevent 26 April 2019
Directory unconstrained delegation of computer accounts.
Domain
STIG

1
UNCLASSIFIED
 UNCLASSIFIED
Active Directory Domain STIG Revision History, V3R5 DISA
13 September 2024 Developed by DISA for the DOD

REVISION HISTORY
Revision Document
Description of Change Release Date
Number Revised
V2R12 - Active - V-36436 -Removed requirement, addressed by 25 January 2019
Directory PAW STIG.
Domain - V-78131 -Updated to clarify this applies to
STIG personnel user accounts, not service accounts.
V2R11 - Active - V-36438 - Clarified to note query results require 26 October 2018
Directory review to validate.
Domain
STIG
V2R10 - Active - V-25841 - Removed requirement that defines 27 July 2018
Directory frequency of reviews, out of scope of STIG.
Domain - V-36436 - Updated to reference the Windows
STIG Privileged Access Workstation (PAW) STIG for
additional configuration.
- V-43712, V-43713, V-43714 - Updated the link
to the referenced NSA document.
- V-78131 - Updated to clarify requirement
applies to accounts from local domain.
- The following requirements were removed, now
addressed by the PAW STIG: V-36437, V-43710,
V-43711, V-44058.
V2R9 - Active - V-36438 - Corrected PowerShell query. Clarified 26 January 2018
Directory use of LAPS and all local administrator accounts
Domain must be addressed.
STIG - V-78131 - Added requirement for domain level
admin accounts to be members of the Protected
Users group.
V2R8 - Active - V-8548 - Removed Enterprise and Domain 27 January 2017
Directory Admins - accounted for in other requirements.
Domain Moved Schema Admins to new requirement in
STIG Forest STIG.
- V-8551 - Removed reference to Windows 2003
end of support.
- V-25840 - Clarified requirement is for Directory
Restore Mode Password (DSRM) annual
password change.
- Replaced the following with new requirement
(V-72821) to roll hash for all smart card-enabled
accounts: V-43649, V-43650, V-43651.
- V-72821 - Added new requirement for smart
card required for interactive logon (SCRIL) hash
rolling.

2
UNCLASSIFIED
 UNCLASSIFIED
Active Directory Domain STIG Revision History, V3R5 DISA
13 September 2024 Developed by DISA for the DOD

REVISION HISTORY
Revision Document
Description of Change Release Date
Number Revised
V2R7 - Active - Added Sections 1.6 Other Considerations and 22 April 2016
Directory 1.7 Product Approval Disclaimer to the STIG
Domain Overview document.
STIG - V-8524 - Changed MAC references to RMF.
- V-8525 - Changed MAC references to RMF.
- V-8530 - Changed MAC references to RMF.
- V-8540 - Added Fix details.
- V-8547 - Added Fix details.
- V-8553 - Added Fix details.
- V-25385 - Changed MAC references to RMF.
- V-36438 - Added LAPS as a solution for
managing local administrator passwords.
- V-43712 - Removed Windows 2003 references.
- V-43713 - Removed Windows 2003 references.
- V-43714 - Removed Windows 2003 references.
V2R6 - Active - STIGs previously bundled in the Windows 23 January 2015
Directory Server packages have been separated into
Domain individual packages (e.g., Member Server,
STIG Domain Controller, AD Domain, and AD
Forest).
- V-8538 - Trust - SID Filter Quarantining -
Updated for clarification.
- V-8551 - Domain Functional Level - Updated
for clarification.
- V-36436 - Dedicated Systems for Managing
Active Directory - Updated for clarification.
V2R5 - Active - Control Correlation Identifiers (CCIs) added to 28 October 2014
Directory requirements.
Domain - V-53727 Domain Controllers Internet Access –
STIG added.
V2R4 - Active - V-36436 Systems dedicated to managing Active 25 April 2014
Directory Directory - Additional information added.
Domain - The following new requirements have been
STIG added to support Pass-the-Hash mitigations.
- V-43648 Separate smart cards must be used for
Enterprise Admin (EA) and Domain Admin
(DA) accounts from smart cards used for other
accounts.
- V-43649 Enterprise Admin (EA) and Domain
Admin (DA) accounts that require smart cards
must have the setting Smart card is required for
interactive logon disabled and re-enabled at least
every 60 days.

3
UNCLASSIFIED
 UNCLASSIFIED
Active Directory Domain STIG Revision History, V3R5 DISA
13 September 2024 Developed by DISA for the DOD

REVISION HISTORY
Revision Document
Description of Change Release Date
Number Revised
- V-43650 Administrative accounts for critical
servers, that require smart cards, must have the
setting Smart card is required for interactive
logon disabled and re-enabled at least every 60
days.
- V-43651 Other important accounts (VIPS and
other administrators) that require smart cards
must have the setting Smart card is required for
interactive logon disabled and re-enabled at least
every 60 days.
- V-43652 Separate domain accounts must be
used to manage public facing servers from any
domain accounts used to manage internal
servers.
- V-43710 Systems used to manage Active
Directory (AD admin platforms) must be
Windows 7, Windows Server 2008 R2, or later
versions of Windows.
- V-43711 Separate domain administrative
accounts must be used to manage AD admin
platforms from any domain accounts used on, or
used to manage, non-AD admin platforms.
- V-43712 Usage of administrative accounts must
be monitored for suspicious and anomalous
activity.
- V-43713 Systems must be monitored for
attempts to use local accounts to log on remotely
from other systems.
- V-43714 Systems must be monitored for
remote desktop logons.
- V-44058 Communications from AD admin
platforms must be blocked, except with the
domain controllers being managed.
- V-44059 Windows service \ application
accounts with administrative privileges and
manually managed passwords, must have
passwords changed at least every 60 days.
V2R3 - Active - V-8521 Object Ownership Delegation - 24 January 2014
Directory Changed Check Type to “Manual” in VMS.
Domain - V-8523 IDS Visibility of Directory VPN Data
STIG Transport - Changed Check Type to “Manual” in
VMS.

4
UNCLASSIFIED
 UNCLASSIFIED
Active Directory Domain STIG Revision History, V3R5 DISA
13 September 2024 Developed by DISA for the DOD

REVISION HISTORY
Revision Document
Description of Change Release Date
Number Revised
- V-8525 Directory Service Architecture DR
Documentation - Changed Check Type to
“Manual” in VMS.
V2R2 - Active - V-36431 Enterprise Admins Group Members - 29 March 2013
Directory new CAT I.
Domain - V-36432 Domain Admins Group Members -
STIG new CAT I.
- V-36433 Domain Member Server
Administrators Group Members - new CAT II.
- V-36434 Domain Workstation Administrators
Group Members - new CAT II.
- V-36435 Delegation of Privileged Accounts -
new CAT I.
- V-36436 Dedicated Systems for Managing
Active Directory - new CAT II.
- V-36437 Block Internet Access for Dedicated
Systems Used for Managing Active Directory-
new CAT II.
- V-36438 Unique Passwords for all Local
Administrator Accounts - new CAT II.

5
UNCLASSIFIED