An error occurred:

Active Directory Domain STIG Version Comparison

Active Directory Domain Security Technical Implementation Guide

Comparison

There are 3 differences between versions v3 r2 (Nov. 14, 2022) (the "left" version) and v3 r4 (May 15, 2024) (the "right" version).

Check AD.0160 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

The domain functional level must be at a Windows Server version still supported by Microsoft.

Check Content

Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc"). Right "dsa.msc"). Right-click click in the left pane on the name of the Domain being reviewed. Select "Raise domain functional level..." The current domain functional level will be displayed (as well as the option to raise the domain functional level). Select "Cancel" to exit. Alternately, using PowerShell (Windows Server 2016): Select 2008 R2 or later). Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen. Run "Get-ADDomain". View the value for "DomainMode:" If the domain functional level is not Windows Server 2016, 2008 or later, this is a finding. Using the highest domain functional level supported by the domain controllers is recommended.

Discussion

Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and forest as advanced features of the directory are not available. This also prevents the addition of domain controllers to the domain using Windows Server versions prior to the current domain functional level.

Fix

Raise the domain functional level to Windows Server 2016. 2008 or later. Using the highest domain functional level supported by the domain controllers is recommended. Raising the domain functional level needs to be carefully planned and implemented. This prevents the addition of domain controllers to the domain using Windows versions prior to the current domain functional level. See level. Refer to Microsoft documentation for the process and requirements of raising the domain functional level.