STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Active Directory Domain Security Technical Implementation Guide

V-243498

CAT II (Medium)

If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).

Rule ID

SV-243498r958406_rule

STIG

Active Directory Domain Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-000067

Discussion

To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not allow that data to be processed through an intrusion detection system (IDS) that could detect data from a compromised system or malicious client. Further policy details:Replace the VPN solution or reconfigure it so that directory data is processed by a network or host-based intrusion detection system (IDS).

Check Content

1. Interview the site representative. Ask about the location of the domain controllers. 

2. If domain controllers are not located in multiple enclaves, then this check is not applicable.

3. If domain controllers are located in multiple enclaves and a VPN is not used, then this check is not applicable.

4. If domain controllers are located in multiple enclaves and a VPN is used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS.

5. If the AD network traffic is not visible to a network or host IDS, then this is a finding.

Fix Text

Replace the VPN solution or reconfigure it so that directory data is inspected by a network or host-based IDS.