From Active Directory Domain Security Technical Implementation Guide (STIG)
Part of IDS Visibility of Directory VPN Data Transport
Associated with IA controls: EBVC-1
Associated with: CCI-000067
To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not allow that data to be processed through an intrusion detection system (IDS) that could detect data from a compromised system or malicious client.
1. Interview the site representative. Ask about the location of the domain controllers. 2. If domain controllers are not located in multiple enclaves, then this check is not applicable. 3. If domain controllers are located in multiple enclaves and a VPN is not used, then this check is not applicable. 4. If domain controllers are located in multiple enclaves and a VPN is used, review the site network diagram(s) with the SA, NSO, or network reviewer as required to determine if the AD network traffic is visible to a network or host IDS. 5. If the AD network traffic is not visible to a network or host IDS, then this is a finding.
Replace the VPN solution or reconfigure it so that directory data is inspected by a network or host-based IDS.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer