################################################################################
DOCUMENT         : Active_Directory_Forest
VERSION          : 003.002.001
CHECKSUM         : cda9eb426d1ce8d7937808719a10db6584c05903e89d851078210fe77eddfd21
MANUAL QUESTIONS : 3

IMPORTANT: Make sure to save the completed version of this file to: 
<SCC Install>/Resources/Content/Manual_Questions/Completed_Files

This file contains all of the non-automated STIG requirements found in the STIG.
Results from this file will be combined with automated checks in SCC to provide
complete STIG compliance results.

This file will be programmaticaly imported, so do not modify anything in this file
except for placing an '[X]' to select a Single answer, and entering text comments.

The list of questions is printed in order of severity, listing CAT I (High), then CAT II, etc..

################################################################################

QUESTION         : 1 of 3
TITLE            : CAT I, V-269098, SV-269098r1106505, SRG-OS-000324
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1101
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1101
RULE             : Windows Server hosting Active Directory Certificate Services (AD CS) must enforce Certificate Authority (CA) certificate management approval for certificate requests.
QUESTION_TEXT    : Certificate templates with the following extended key usages AND that allow a requestor to supply the subject name in the request require manual approval. In the AD CS web server properties, select "VulnerableCertTemplate" properties. Verify that "Subject Name" and "Supply in the request" are selected.

If "Subject Name" AND "Supply in the request" are selected and if manual approval is not required, this is a finding. 

If the "Supply in Request" is NOT selected, and the Enroll Permissions for the template have been limited to a select group of users/administrators, this is not a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 1 *******************************

QUESTION         : 2 of 3
TITLE            : CAT I, V-269099, SV-269099r1026184, SRG-OS-000324
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:1301
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:1301
RULE             : Windows Server running Active Directory Certificate Services (AD CS) must be managed by a PAW tier 0.
QUESTION_TEXT    : Verify that a site has set aside one or more PAWs for remote management of AD CS. 

A dedicated AD CS/CA Admin account that is only usable on tier 0 PAW or the ADCS server must be used to manage the certificate authority and approve requests.

Review any available site documentation.

Verify that any PAW used to manage high-value IT resources of a specific tier are used exclusively for managing high-value IT resources assigned to only one tier.

If the site has not set aside one or more PAWs for remote management of AD CS, this is a finding.

References:
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 2 *******************************

QUESTION         : 3 of 3
TITLE            : CAT III, V-243505, SV-243505r1026206, SRG-OS-000480
TEST_ACTION_ID   : ocil:navy.navwar.niwcatlantic.scc.sql.server:testaction:701
QUESTION_ID      : ocil:navy.navwar.niwcatlantic.scc.sql.server:question:701
RULE             : Changes to the AD schema must be subject to a documented configuration management process. 
QUESTION_TEXT    : 1. Interview the ISSO.

2. Obtain a copy of the site's configuration management procedures documentation.

3. Verify that there is a local policy that requires changes to the directory schema to be processed through a configuration management process. This applies to directory schema changes whether implemented in a database or other types of files. For AD, this refers to changes to the AD schema.

4. If there is no policy that requires changes to the directory schema to be processed through a configuration management process, then this is a finding.


References:
V-8527
SV-30998
CCI-000366
     ===========================================================================
     Select One of the following by entering an X in the brackets
     [ ] Finding
     [ ] Not a Finding
     [ ] Not Applicable
     [X] Not Reviewed
     Enter any comments : 

******************************* end of question 3 *******************************

