From Active Directory Domain Security Technical Implementation Guide (STIG)
Part of Replication in the DMZ (RODC)
Associated with IA controls: ECSC-1
Associated with: CCI-000366
The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the interal domain controller or forest can be compromised.
1. Verify that the site has applied the Network Infrastucture STIG to configure the VPN and IPSec. 2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs). 3. Include an inspection of the RODC server in the DMZ when inspection for least privilege. 4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients. 5. If RODC server and configuration does not comply with requirements, then this is a finding.
1. Ensure compliance with VPN and IPSec requirements in the Network Insfrastucture STIG. 2. Ensure IPSec and other communications and security configurations for the management and replication of the RODC uses the minimum required Group Policy Objects (GPOs) to provide the required functionality. 3. Replicate only the information needed to provide the functionality required. If full replication of all directory data is not needed, then replicated selective ID and authentication information as needed to the RODC. 4. Include an inspection of the RODC server in the DMZ when inspection for least privilege.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer