STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Active Directory Domain Security Technical Implementation Guide

Version

V3R7

Benchmark ID

Active_Directory_Domain

Total Checks

36

Tags

other
CAT I: 5CAT II: 27CAT III: 4

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (36)

V-243466HIGHMembership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest.V-243467HIGHMembership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.V-243468MEDIUMAdministrators must have separate accounts specifically for managing domain member servers.V-243469MEDIUMAdministrators must have separate accounts specifically for managing domain workstations.V-243470HIGHDelegation of privileged accounts must be prohibited.V-243471MEDIUMLocal administrator accounts on domain systems must not share the same password.V-243472MEDIUMSeparate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts.V-243473MEDIUMSeparate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers.V-243475MEDIUMDomain controllers must be blocked from Internet access.V-243476MEDIUMAll accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.V-243477MEDIUMUser accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.V-243478MEDIUMDomain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.V-243479MEDIUMThe Directory Service Restore Mode (DSRM) passwords must be changed on each Domain Controller (DC) at least annually.V-243480MEDIUMThe domain functional level must be at a Windows Server version still supported by Microsoft.V-243481MEDIUMAccess to need-to-know information must be restricted to an authorized community of interest.V-243482HIGHInterconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts.V-243483HIGHA controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.V-243484MEDIUMSecurity identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.V-243485MEDIUMSelective Authentication must be enabled on outgoing forest trusts.V-243486MEDIUMThe Anonymous Logon and Everyone groups must not be members of the Pre-Windows 2000 Compatible Access group.V-243487MEDIUMMembership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.V-243488LOWUser accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts.V-243489MEDIUMRead-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements.V-243490MEDIUMUsage of administrative accounts must be monitored for suspicious and anomalous activity.V-243491MEDIUMSystems must be monitored for attempts to use local accounts to log on remotely from other systems.V-243492MEDIUMSystems must be monitored for remote desktop logons.V-243493MEDIUMActive Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.V-243494LOWEach cross-directory authentication configuration must be documented.V-243495MEDIUMA VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries.V-243496MEDIUMAccounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups.V-243497MEDIUMInter-site replication must be enabled and configured to occur at least daily.V-243498MEDIUMIf a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS).V-243499LOWActive Directory implementation information must be added to the organization contingency plan where the Risk Management Framework categorization for Availability is moderate or high.V-243500MEDIUMActive Directory must be supported by multiple domain controllers where the Risk Management Framework categorization for Availability is moderate or high.V-243501LOWThe impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented.V-269097MEDIUMWindows Server domain controllers must have Kerberos logging enabled with servers hosting Active Directory Certificate Services (AD CS).