AWS Security ChangesHomeSearch

AWS directoryservice high security documentation change

Service: directoryservice · 2026-05-04 · Security-related high

File: directoryservice/latest/admin-guide/ms_ad_directory_settings.md

Summary

Added documentation for new security settings: NTLM V1 disable, FIPS policy, and UNC hardened paths for Netlogon/SYSVOL.

Security assessment

Explicitly documents disabling insecure NTLMv1 protocol and adds FIPS/UNC hardening options. Addresses security weaknesses by providing mitigation guidance.

Diff

diff --git a/directoryservice/latest/admin-guide/ms_ad_directory_settings.md b/directoryservice/latest/admin-guide/ms_ad_directory_settings.md
index d0f49b97d..e8e9a7db1 100644
--- a//directoryservice/latest/admin-guide/ms_ad_directory_settings.md
+++ b//directoryservice/latest/admin-guide/ms_ad_directory_settings.md
@@ -58,0 +59,27 @@ Type | Setting name | API name | Potential values | Setting description
+Authentication Protocol | NTLM V1 | NTLM_V1 | Enable, Disable | Enable or Disable NTLM V1 authentication for clients of your Active Directory domain controllers.  
+NTLM Security Support Provider (SSP) Session Security | NTLM_SSP_SESSION_SECURITY | Enable, Disable | Enable or disable NTLM SSP session security to enforce encryption and signing for NTLM authentication sessions in your Active Directory domain controllers.  
+Encryption | FIPS Algorithm Policy | FIPS_ALGORITHM_POLICY | Enable, Disable | Enable or disable the FIPS algorithm policy to enforce FIPS-compliant cryptographic algorithms for data protection in your Active directory.  
+Network Hardened Path | UNC Hardened Paths: Netlogon | UNC_HARDENED_PATHS_NETLOGON | Maximum Security, Identity Verification Only, Tamper Protection Only, Encryption Only, Authentication with Integrity, Authentication with Encryption, Secure Data, No Protection | Configure security requirements for UNC connections to the NETLOGON share.
+
+  * **Maximum Security** : Highest security with authentication, encryption, and signing.
+  * **Identity Verification Only** : Both client and server authentication required.
+  * **Tamper Protection Only** : Data integrity verification during transmission.
+  * **Encryption Only** : Data encryption during transmission.
+  * **Authentication with Integrity** : Authentication with data integrity checks.
+  * **Authentication with Encryption** : Authentication with encryption.
+  * **Secure Data** : Data integrity and encryption combined.
+  * **No Protection** : No additional security requirements.
+
+  
+UNC Hardened Paths: SYSVOL | UNC_HARDENED_PATHS_SYSVOL | Maximum Security, Identity Verification Only, Tamper Protection Only, Encryption Only, Authentication with Integrity, Authentication with Encryption, Secure Data, No Protection | Configure security requirements for UNC connections to the SYSVOL share.
+
+  * **Maximum Security** : Highest security with authentication, encryption, and signing.
+  * **Identity Verification Only** : Both client and server authentication required.
+  * **Tamper Protection Only** : Data integrity verification during transmission.
+  * **Encryption Only** : Data encryption during transmission.
+  * **Authentication with Integrity** : Authentication with data integrity checks.
+  * **Authentication with Encryption** : Authentication with encryption.
+  * **Secure Data** : Data integrity and encryption combined.
+  * **No Protection** : No additional security requirements.
+
+