A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.

From Active Directory Domain Security Technical Implementation Guide (STIG)

Part of Trust - Non-DoD

Associated with IA controls: ECIC-1

Associated with: CCI-000366

SV-9033r2_rule A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks.

Vulnerability discussion

The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between a DoD organization and a non-DoD organization, the security posture of the two organizations might be significantly different. If the non-DoD organization maintained a less secure environment and that environment were compromised, the presence of the AD trust might allow the DoD environment to be compromised also.

Check content

1. Refer to the list of identified trusts obtained in a previous check (V8530). 2. For each of the identified trusts, determine if the other trust party is a non-DoD entity. For example, if the fully qualified domain name of the other party does not end in “.mil”, the other party is probably not a DoD entity. 3. Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by the DAA. 4. The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG. 5. If any trust is defined with a non-DoD system and there is no documentation indicating approval of the external network connection and explicit DAA approval of the trust, then this is a finding.

Fix text

Obtain DAA approval and document external, forest, or realm trust relationship. Or obtain documentation of the network connection approval and explicit trust approval by the DAA.

Pro Tips

Powered by sagemincer