← Back to Active Directory Domain Security Technical Implementation Guide

V-243493

CAT II (Medium)

Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.

Rule ID

SV-243493r959010_rule

STIG

Active Directory Domain Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-000366

Discussion

Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or malicious corruption. A failure to recover from the loss of directory data used in identification and authentication services (i.e., Active Directory) could result in an extended loss of availability.

Check Content

Review the organization's procedures for the backing up active directory data.
Verify the frequency at which active directory data is backed up.
If the Availability categorization of the domain is low, this must be at least weekly.
If the Availability categorization of the domain is moderate or high, this must be at least daily.
Verify the type of backup is appropriate to capturing the directory data.  For AD domain controllers, this must include a System State data backup.

If any of these conditions are not met, this is a finding.

Fix Text

Update the organization's procedures for the backing up active directory data.
Ensure the frequency at which active directory data is backed up is as follows:
If the Availability categorization of the domain is low, this must be at least weekly.
If the Availability categorization of the domain is moderate or high, this must be at least daily.
Ensure the type of backup is appropriate to capturing the directory data.  For AD domain controllers, this must include a System State data backup.