From Active Directory Domain Security Technical Implementation Guide (STIG)
Part of Trust - Non-DoD
Associated with IA controls: ECIC-1
Associated with: CCI-000366
The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between a DoD organization and a non-DoD organization, the security posture of the two organizations might be significantly different. If the non-DoD organization maintained a less secure environment and that environment were compromised, the presence of the AD trust might allow the DoD environment to be compromised also.
1. Refer to the list of identified trusts obtained in a previous check (V8530). 2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in “.mil”, the other party is probably not a DoD entity. 3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA. 4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG. 5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding.
Obtain DAA approval and document external, forest, or realm trust relationship. Or obtain documentation of the network connection approval and explicit trust approval by the DAA.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer