Back
This checklist distills the DISA Active Directory Domain STIG into practical, actionable tasks to harden AD domains. It’s designed for system administrators and security engineers responsible for Windows domain security.
Progress
0 / 14
- Inventory domain controllers and AD components — List hostnames, IPs, OS versions, roles, and patch levels.
- Apply latest Microsoft security patches to domain controllers — Schedule during maintenance windows and verify reboots.
- Verify domain and forest functional levels meet requirements — Confirm supported functionality and compatibility before raising.
- Enforce secure LDAP (LDAPS) for AD communications — Install certificates and require LDAP over TLS.
- Configure strong password and account lockout policies in Group Policy — Set length, complexity, history, and lockout thresholds.
- Restrict and review privileged accounts and groups — Audit memberships, remove unnecessary accounts, and document admins.
- Enable and review AD auditing and event logging — Enable advanced auditing and forward events to a SIEM.
- Harden domain controllers (disable unnecessary services) — Apply host firewall rules and remove non-essential services.
- Disable SMBv1 on domain controllers — Turn off SMBv1 and confirm SMBv2/3 availability.
- Remove or disable unused server roles on domain controllers — Uninstall roles like IIS or DHCP if not required on DCs.
- Secure DNS integrated with AD and enable DNSSEC where supported — Harden zone permissions and validate dynamic updates.
- Backup Active Directory and test restores — Perform system state backups and run restore drills regularly.
- Review and apply least-privilege for service and managed accounts — Convert services to managed accounts and remove excessive rights.
- Implement multi-factor authentication for administrative access — Require MFA for console, RDP, and privileged tools.
Your Stats
🏆
0
Completed
📅
—
Last Done
⏱️
—
Last Time
Completion Rate
Items checked per run
⚡
—
Fastest Run
🔥
0
Streak
🚫
—
Most Skipped Step
🔄
0
Resets
📝 My Notes