AWS directoryservice documentation change
Summary
Formatting updates with backticks for code elements and minor text corrections (e.g., 'directorys' to 'directories'). No substantive content changes to security guidance.
Security assessment
Changes are purely syntactic (backtick formatting for code/markup consistency) and grammatical fixes. All security-related warnings about NTLMv1, NT4 Cryptography, privileged account limits, and orphaned admins were already present in prior version. No new security guidance or vulnerability disclosures were added.
Diff
diff --git a/directoryservice/latest/admin-guide/assessment_test_warning-msgs.md b/directoryservice/latest/admin-guide/assessment_test_warning-msgs.md index f7753f198..7354990f7 100644 --- a//directoryservice/latest/admin-guide/assessment_test_warning-msgs.md +++ b//directoryservice/latest/admin-guide/assessment_test_warning-msgs.md @@ -11,14 +11,14 @@ Test name | Short name | Warning code | Warning message | Description | Resoluti -Domain Health Tests | testDisabledStaleUserNumber | STALE_USERS_FOUND | `StaleUserCount` users were found to be stale, they have not logged in for `StaleThresholdInDays` days. | Occurs if there are user accounts in your self-managed AD that have not logged in for an extended period and may be considered stale or inactive. | Clean up stale user accounts. -Domain Controller Time Source Test | testDCTimeSource | DC_BAD_TIMESOURCE | Time sources not properly configured for PDC, should using an authoritative source. Time sources not properly configured for `dcHostName`, should using PDC as source | Occurs if self-managed AD has the correct time source setup and that there is no large time skewness when compared to a AWS time source. | Your primary domain controller (PDC) time server is directed to 169.254.169.123. Your non-primary domain controllers should be pointed to the PDC as the source. For more information, see [Keeping time with Amazon Time Sync Service](https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/). -Free Space Test | testFreeSpace | DISK_SPACE_EXCEEDED | Supported service max capacity of 7 GB exceeded; SysVol + NTDS is currently using: 24 GB) | Occurs if your self-managed AD Combined NTDS and Sysvol usage is above supported quota. | Your self-managed AD should have 24 GB of disk space for hybrid directorys. -S channel SSP Test | testSchannelSSP | TLS_1_2_NOT_ENABLED | Disabled protocol `DisabledProtocol` is still enabled. | Occurs if a self-managed AD does not use TLS1.2 and AES256 encryption. | Your self-managed AD must use TLS 1.2 and AES256 for hybrid directorys. -Disk Corruption Test | testDiskCorruption | DISK_CORRUPT | Disk corruption detected on `Drive`. | Occurs if there is disk corruption on your self-managed AD. | Your self-managed AD disks should not be corrupted. -Domain Controller Specs Test | testDcSpecs | INSUFFICIENT_RESOURCES | `numAvailableCores` cores detected when `requiredCores` cores recommended. `gbAvailableRam` GB ram detected when `requiredRam` GB recommended. | Occurs if your self-managed AD domain controllers don't meet the required specifications. | Your self-managed AD domain controllers should have at least 7 GB RAM and 2 CPU cores for hybrid directory. -Server Level Plugin Dll Test | testServerLevelPluginDll | SERVER_LEVEL_PLUGIN_DLL_IS_SET | ServerLevelPluginDll registry configuration is not permitted. | Occurs if ServerLevelPluginDll is set on your self-managed AD domain controllers. | Your self-managed AD domain controllers should not have ServerLevelPluginDII configured. -Allow NT4 Crypto Test | testAllowNT4Crypto | NT4_CRYPTO_NOT_ALLOWED | Registry key AllowNt4Crypto is not allowed. | Occurs if self-managed AD allows NT4 Cryptography. | Your self-managed AD should not use NT4 Cryptography. For more information, see Microsoft documentation. -Orphaned Admin Users Test | testOrphanedAdminUsers | ORPHANED_ADMIN_USER_FOUND | `OrphanedUsersCount` Orphaned Admin Users Found: [`OrphanedUserNames`]. | Occurs if orphaned admin users exist in your self-managed AD. | Remove orphaned users on your self-managed AD before continuing. -Privileged User Count Test | testPrivilegedUserCount | DOMAIN_ADMIN_COUNT_EXCEEDED | Number of Domain Admins (`daCount`) exceeded allowance of (`allowedDomainAdminCount`). | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. -Privileged User Count Test | testPrivilegedUserCount | ENTERPRISE_ADMIN_COUNT_EXCEEDED | Number of Enterprise Admins (`eaCount`) exceeded allowance of (`allowedEnterpriseAdminCount`). | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. -Privileged User Count Test | testPrivilegedUserCount | BUILTIN_ADMIN_COUNT_EXCEEDED | Number of Built-in Admins (`baCount`) exceeded allowance of (`allowedAdminCount`). | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. -NTLM Test | testNTLM | INSECURE_SETTING_NTLM | NTLMv1 is enabled. | Occurs if NTLMv1 is enabled for authentication on your self-managed AD. | NT LAN Manager version 1 (NTLMv1) has known security vulnerabilities and should not be used. Disable NTLMv1 on your self-managed AD. For more information, see [Microsoft documentation](https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73). -Tombstone Lifetime Test | testTombstoneLifetime | TOMBSTONE_LIFETIME_ABOVE_LIMIT | Tombstone Lifetime is too long. DC Tombstone Lifetime is `TombstoneLifeTime`, AWS suggested number is `TombstoneMaximum` days. | Occurs if the Tombstone lifetime on your self-managed AD is more than 180 days. | The Tombstone lifetime is the number of days before a deleted object is removed from AD. The Tombstone lifetime value for your self-managed AD should be 180 days or less. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1887de08-2a9e-4694-95e2-898cde411180). +Domain Health Tests | `testDisabledStaleUserNumber` | `STALE_USERS_FOUND` | ``StaleUserCount` users were found to be stale, they have not logged in for `StaleThresholdInDays` days.` | Occurs if there are user accounts in your self-managed AD that have not logged in for an extended period and may be considered stale or inactive. | Clean up stale user accounts. +Domain Controller Time Source Test | `testDCTimeSource` | `DC_BAD_TIMESOURCE` | `Time sources not properly configured for PDC, should using an authoritative source. Time sources not properly configured for `dcHostName`, should using PDC as source` | Occurs if self-managed AD has the correct time source setup and that there is no large time skewness when compared to a AWS time source. | Your primary domain controller (PDC) time server is directed to `169.254.169.123`. Your non-primary domain controllers should be pointed to the PDC as the source. For more information, see [Keeping time with Amazon Time Sync Service](https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/). +Free Space Test | `testFreeSpace` | `DISK_SPACE_EXCEEDED` | `Supported service max capacity of 7 GB exceeded; SysVol + NTDS is currently using: 24 GB)` | Occurs if your self-managed AD Combined NTDS and Sysvol usage is above supported quota. | Your self-managed AD should have 24 GB of disk space for hybrid directories. +S channel SSP Test | `testSchannelSSP` | `TLS_1_2_NOT_ENABLED` | `Disabled protocol `DisabledProtocol` is still enabled.` | Occurs if a self-managed AD does not use TLS1.2 and AES256 encryption. | Your self-managed AD must use TLS 1.2 and AES256 for hybrid directories. +Disk Corruption Test | `testDiskCorruption` | `DISK_CORRUPT` | `Disk corruption detected on `Drive`.` | Occurs if there is disk corruption on your self-managed AD. | Your self-managed AD disks should not be corrupted. +Domain Controller Specs Test | `testDcSpecs` | `INSUFFICIENT_RESOURCES` | ``numAvailableCores` cores detected when `requiredCores` cores recommended. `gbAvailableRam` GB ram detected when `requiredRam` GB recommended.` | Occurs if your self-managed AD domain controllers don't meet the required specifications. | Your self-managed AD domain controllers should have at least 7 GB RAM and 2 CPU cores for hybrid directory. +Server Level Plugin Dll Test | `testServerLevelPluginDll` | `SERVER_LEVEL_PLUGIN_DLL_IS_SET` | `ServerLevelPluginDll registry configuration is not permitted.` | Occurs if ServerLevelPluginDll is set on your self-managed AD domain controllers. | Your self-managed AD domain controllers should not have ServerLevelPluginDII configured. +Allow NT4 Crypto Test | `testAllowNT4Crypto` | `NT4_CRYPTO_NOT_ALLOWED` | `Registry key AllowNt4Crypto is not allowed.` | Occurs if self-managed AD allows NT4 Cryptography. | Your self-managed AD should not use NT4 Cryptography. For more information, see Microsoft documentation. +Orphaned Admin Users Test | `testOrphanedAdminUsers` | `ORPHANED_ADMIN_USER_FOUND` | ``OrphanedUsersCount` Orphaned Admin Users Found: [`OrphanedUserNames`].` | Occurs if orphaned admin users exist in your self-managed AD. | Remove orphaned users on your self-managed AD before continuing. +Privileged User Count Test | `testPrivilegedUserCount` | `DOMAIN_ADMIN_COUNT_EXCEEDED` | `Number of Domain Admins (`daCount`) exceeded allowance of (`allowedDomainAdminCount`).` | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. +Privileged User Count Test | `testPrivilegedUserCount` | `ENTERPRISE_ADMIN_COUNT_EXCEEDED` | `Number of Enterprise Admins (`eaCount`) exceeded allowance of (`allowedEnterpriseAdminCount`).` | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. +Privileged User Count Test | `testPrivilegedUserCount` | `BUILTIN_ADMIN_COUNT_EXCEEDED` | `Number of Built-in Admins (`baCount`) exceeded allowance of (`allowedAdminCount`).` | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. +NTLM Test | `testNTLM` | `INSECURE_SETTING_NTLM` | `NTLMv1 is enabled.` | Occurs if NTLMv1 is enabled for authentication on your self-managed AD. | NT LAN Manager version 1 (NTLMv1) has known security vulnerabilities and should not be used. Disable NTLMv1 on your self-managed AD. For more information, see [Microsoft documentation](https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73). +Tombstone Lifetime Test | `testTombstoneLifetime` | `TOMBSTONE_LIFETIME_ABOVE_LIMIT` | `Tombstone Lifetime is too long. DC Tombstone Lifetime is `TombstoneLifeTime`, AWS suggested number is `TombstoneMaximum` days.` | Occurs if the Tombstone lifetime on your self-managed AD is more than 180 days. | The Tombstone lifetime is the number of days before a deleted object is removed from AD. The Tombstone lifetime value for your self-managed AD should be 180 days or less. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1887de08-2a9e-4694-95e2-898cde411180).