STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Active Directory Forest Security Technical Implementation Guide

Version

V3R2

Benchmark ID

Active_Directory_Forest

Total Checks

7

Tags

other

CAT I: 3CAT II: 3CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (7)

V-243502MEDIUMMembership to the Schema Admins group must be limited.V-243503MEDIUMAnonymous Access to AD forest data above the rootDSE level must be disabled.V-243504MEDIUMThe Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source.V-243505LOWChanges to the AD schema must be subject to a documented configuration management process.V-243506HIGHUpdate access to the directory schema must be restricted to appropriate accounts.V-269098HIGHWindows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.V-269099HIGHWindows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.