STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to STIGs

Active Directory Forest Security Technical Implementation Guide

Version

V3R2

Release Date

May 15, 2025

SCAP Benchmark ID

Active_Directory_Forest

Total Checks

7

Tags

other
CAT I: 3CAT II: 3CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (7)

V-243502MEDIUMMembership to the Schema Admins group must be limited.V-243503MEDIUMAnonymous Access to AD forest data above the rootDSE level must be disabled.V-243504MEDIUMThe Windows Time Service on the forest root PDC Emulator must be configured to acquire its time from an external time source.V-243505LOWChanges to the AD schema must be subject to a documented configuration management process.V-243506HIGHUpdate access to the directory schema must be restricted to appropriate accounts.V-269098HIGHWindows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.V-269099HIGHWindows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.