Servers A

Important Steps for Configuring Active Directory

 

Logging:

  • Keep domain controller logs centrally.
  • Keep security logs from all domain joined servers centrally.
  • Create and monitor alerts on:
    • The use (success or failure) of any domain administrator credentials.
    • The use of any local administrator credentials.
    • Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

  • Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...
Read more about Important Steps for Configuring Active Directory

Remote login must only permit the use of encrypted communications

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use of VPN is advised where available

Servers must meet the most stringent requirement

Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification. If you aren't able to identify whether or not a server may have HRCI, apply the level 4 controls.

Level 3 On Systems

Use or store Level 3 or higher information only on protected servers or services

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Ensure individual user identification

 Server operators must not knowingly set up accounts that will be shared by multiple users unless there is a process by which the individual users can be identified. The use of “sudo” or “runas” meets this how-to.

Pages