|
Name |
Guide
to Securing Microsoft Windows 2000 Active Directory |
|
Version |
v1.0 |
|
Status |
Final |
| Creation
Date |
2000-12 |
| Revision
Date |
|
| Product
Category |
Directory
Service |
| Vendor |
Microsoft
Corporation |
| Product |
Microsoft
Windows 2000 Active Directory |
| Product
Version |
Windows 2000 server |
| Product
Role |
|
|
Checklist
Summary |
The
purpose of this document is to provide Active
Directory security configuration guidance and
recommendations. This document gives an overview
of Active Directory in relation to Windows 2000
to the reader. This document provides detailed
information on the configuration of multiple
Active Directory areas. This document provides
the methods that the system administrators can
use to implement configuration and security
settings within Active Directory. In addition,
this guide documents procedures in order to
backup and restore the Active Directory data.
This document is meant to be a starting point
for Windows 2000 Active Directory security and
does not include numerous Windows 2000 functions
and applications associated with Active Directory.
This document is a companion to the "Guide
to Securing Microsoft Windows 2000: Security
Configuration Tool Set" and other documents
that comprise the overall NSA Windows 2000 guidance.
|
| Known
Issues |
Do
not attempt to implement any of the settings
in this guide without first testing in a non-operational
environment. This document is only a guide
containing recommended security configurations.
It is not meant to replace well-structured
policy or sound judgment. Furthermore, this
guide does not address site-specific configuration
issues. Care must be taken when implementing
this guide while using products such as Microsoft
Exchange, IIS, and SMS. The security changes
described in this document only apply to Microsoft
Windows 2000 Service Pack 1 systems and should
not be applied to any other Windows versions
or operating systems. You can severely impair
or disable a Windows 2000 system with incorrect
changes or accidental deletions when using
programs (examples: Security Configuration
Tool Set, Regedt32.exe, and Regedit.exe) to
change the system configuration. Therefore,
it is extremely important to test all settings
recommended in this guide before installing
them on an operational network. Currently,
no Undo function exists for deletions made
within the Windows 2000 registry. The registry
editor (Regedt32.exe or Regedit.exe) prompts
you to confirm the deletions if Confirm On
Delete is selected from the options menu.
When you delete a registry key, the message
does not include the name of the key you are
deleting. Therefore, check your selection
carefully before proceeding with any deletion.
|
| Target
Audience |
This
checklist has been created for IT professionals.
It is intended for the reader who is already
familiar with Active Directory but needs to
understand more on how to make it more secure.
The document assumes that the reader has experience
administering Windows-based systems in domain
or standalone configurations. |
| Target
Operational Environment |
Enterprise
wide distribution |
| Checklist
Installation Tools |
Microsoft
Windows 2000 Resource Kit. |
| Rollback
Capability |
Not
Available |
| Testing
Information |
The
security configuration guide has been extensively
tested in a lab and operational environment. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Prior
to loading Windows 2000 Active Directory, it
is recommended to verify that the current operating
system of the system is Windows 2000 Service
Pack 1. The security changes described in this
document should not be applied to any other
Windows 2000 or Windows NT versions or operating
systems.
In
order for Active Directory to properly use
DNS, Active Directory requires DNS Service
Resource Record (SRV RR) support and BIND
8.1.2 or higher.
The
Microsoft Management Console is used to customize
and apply some of the security settings to
Windows systems. A Registry editor (Regedt32.exe
or Regedit.exe) can be used for manipulation
of registry keys.
|
| Disclaimer |
Do
not attempt to implement any of the settings
in this guide without first testing them in
a non-operational environment. Security configuration
guides are provided for the Department of Defense
and other government agencies requiring security
configuration guidelines. The guides contain
recommended security settings. They are not
intended to replace well-structured policy or
sound judgment. The guides do not address site-specific
configuration issues. Care must be taken when
implementing the guides to address local operational
and policy concerns. All security changes described
in the guides are applicable only to specifically
identified operating systems or architecture
components and should not be applied to any
other operating system or architecture components. |
| Product
Support |
|
| Submitting
Organization/Authors |
National
Security Agency |
| Point
of Contact |
SNAC.Guides@nsa.gov |
| Sponsor |
|
| Licensing |
Refer
to the legal statement provided found in the
download package.
http://www.nsa.gov/notices/notic00004.cfm?
Address=/snac/os/win2k/w2k_active_dir.pdf |
| Checklist
Homepage |
http://www.nsa.gov/ia/ |
| Download
Package |
w2k_active_dir.pdf |
| Integrity |
SHA1
(w2k_active_dir.pdf) =
32f58a36f200d6150f462e44423a51c44d1bfa3b
SHA256 (w2k_active_dir.pdf) =
9fa501806a4e7b75d988cb09e42300de29f4c1c
aaaa23a7f0c203de67ed61d6c |
| Change
History |
v1.0,
2000-12
|
| Dependency/Requirement |
|
| References |
Not
Available
|
| NIST
Identifier |
1020 |
