TickYouOff
Sign in
Back
🔒

Active Directory Forest STIG Checklist

Hard 15 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist translates the DISA Active Directory Forest STIG into a practical set of actions for IT administrators. It’s designed for system and security admins who manage Windows domain infrastructures and need a concise compliance-oriented task list.

Source: https://ncp.nist.gov/checklist/671

Progress
0 / 15
  1. Inventory AD forest topology and domain controllers — Map domains, sites, DCs, and trust relationships.
  2. Document and verify FSMO role holders and replication status — Use repadmin and dcdiag to confirm role locations and healthy replication.
  3. Harden domain controllers
  4. Restrict physical access to domain controllers — Limit access to authorized personnel and keep DCs in locked rooms.
  5. Enable secure boot and set firmware passwords on DC hardware — Turn on Secure Boot and configure UEFI/BIOS passwords.
  6. Disable unnecessary services and roles on domain controllers — Remove or disable services like print spooler or IIS if not required.
  7. Enforce password complexity and account lockout policies via GPO — Set length, complexity, age, and lockout thresholds in domain policy.
  8. Configure Kerberos settings and ticket lifetimes per STIG — Set ticket lifetimes, enforce AES, and review renewable ticket policy.
  9. Restrict and review Domain Admins and Enterprise Admins group membership — Apply least-privilege principles and audit privileged group memberships.
  10. Implement GPO security baselines and manage inheritance — Apply Microsoft or DoD baselines and block inheritance where appropriate.
  11. Apply all critical Windows Server patches to domain controllers — Test in lab, then schedule and deploy updates promptly.
  12. Configure logging, auditing, and forward logs to a central SIEM — Enable AD audit categories and centralize event collection.
  13. Secure DNS and LDAP services — Use secure dynamic updates, restrict zone transfers, and enable LDAPS.
  14. Protect replication channels and enforce secure RPC/SMB — Enable SMB signing, enforce RPC/SMB encryption or IPSec where applicable.
  15. Perform periodic STIG compliance scans and remediate findings — Run DISA STIG scans, log exceptions, and track remediation until closed.
Sign in to save
📝 My Notes