Check: WN16-DC-000140
Microsoft Windows Server 2016 STIG:
WN16-DC-000140
(in versions v2 r9 through v1 r1)
Title
Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. (Cat II impact)
Discussion
Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.
Check Content
This applies to domain controllers. It is NA for other systems. Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. Determine the classification level of the Windows domain controller. If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.
Fix Text
Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.
Additional Identifiers
Rule ID: SV-224977r987791_rule
Vulnerability ID: V-224977
Group Title: SRG-OS-000396-GPOS-00176
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002450 |
Implement organization-defined types of cryptography for each specified cryptography use. |
Controls
Number | Title |
---|---|
SC-13 |
Cryptographic Protection |