This article guides professionals on how to consider and document the impact of INFOCON changes on cross-directory authentication configuration for an Active Directory Domain.
Implementing this control should be considered at a minimum as low importance.
PS. G5 Cyber Security can scan your entire network for security vulnerabilities, guide you to resolve them, and more. Please contact us here to get started.
How to implement this security control
Evaluate cross-directory configurations (such as trusts and pass-through authentication) and provide documentation that indicates:
- That an evaluation was performed.
- The specific AD trust configurations, if any, that should be disabled during changes in INFOCON status because they could represent increased risk.
How to verify this security control is implemented
- Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative.
- If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable.
For AD, this includes external, forest, or realm trust relationship types.
- Obtain a copy of the site’s supplemental INFOCON procedures as required by Strategic Command Directive (SD) 527-1.
- Verify that it has been determined by the IAM whether INFOCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated.
- If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable.
- If it has been determined that actions to disable manual AD trusts (cross-directory configurations) *are* necessary, verify that the policy to implement these actions has been documented.
- If actions to disable manual AD trusts (cross-directory configurations) *are* needed and no policy has been documented, then this is a finding.
Why you should implement this security control
When incidents occur that require a change in the INFOCON status, it may be necessary to take action to restrict or disable certain types of access that is based on a directory outside the Component’s control.
Cross-directory configurations (such as trusts and pass-through authentication) are specifically designed to enable resource access across directories. If conditions indicate that an outside directory is at increased risk of compromise in the immediate or near future, actions to avoid a spread of the effects of the compromise should be taken.
A trusted outside directory that is compromised could allow an unauthorized user to access resources in the trusting directory.