AWS directoryservice high security documentation change
Summary
Added documentation for new security settings: NTLM V1 disable, FIPS policy, and UNC hardened paths for Netlogon/SYSVOL.
Security assessment
Explicitly documents disabling insecure NTLMv1 protocol and adds FIPS/UNC hardening options. Addresses security weaknesses by providing mitigation guidance.
Diff
diff --git a/directoryservice/latest/admin-guide/ms_ad_directory_settings.md b/directoryservice/latest/admin-guide/ms_ad_directory_settings.md index d0f49b97d..e8e9a7db1 100644 --- a//directoryservice/latest/admin-guide/ms_ad_directory_settings.md +++ b//directoryservice/latest/admin-guide/ms_ad_directory_settings.md @@ -58,0 +59,27 @@ Type | Setting name | API name | Potential values | Setting description +Authentication Protocol | NTLM V1 | NTLM_V1 | Enable, Disable | Enable or Disable NTLM V1 authentication for clients of your Active Directory domain controllers. +NTLM Security Support Provider (SSP) Session Security | NTLM_SSP_SESSION_SECURITY | Enable, Disable | Enable or disable NTLM SSP session security to enforce encryption and signing for NTLM authentication sessions in your Active Directory domain controllers. +Encryption | FIPS Algorithm Policy | FIPS_ALGORITHM_POLICY | Enable, Disable | Enable or disable the FIPS algorithm policy to enforce FIPS-compliant cryptographic algorithms for data protection in your Active directory. +Network Hardened Path | UNC Hardened Paths: Netlogon | UNC_HARDENED_PATHS_NETLOGON | Maximum Security, Identity Verification Only, Tamper Protection Only, Encryption Only, Authentication with Integrity, Authentication with Encryption, Secure Data, No Protection | Configure security requirements for UNC connections to the NETLOGON share. + + * **Maximum Security** : Highest security with authentication, encryption, and signing. + * **Identity Verification Only** : Both client and server authentication required. + * **Tamper Protection Only** : Data integrity verification during transmission. + * **Encryption Only** : Data encryption during transmission. + * **Authentication with Integrity** : Authentication with data integrity checks. + * **Authentication with Encryption** : Authentication with encryption. + * **Secure Data** : Data integrity and encryption combined. + * **No Protection** : No additional security requirements. + + +UNC Hardened Paths: SYSVOL | UNC_HARDENED_PATHS_SYSVOL | Maximum Security, Identity Verification Only, Tamper Protection Only, Encryption Only, Authentication with Integrity, Authentication with Encryption, Secure Data, No Protection | Configure security requirements for UNC connections to the SYSVOL share. + + * **Maximum Security** : Highest security with authentication, encryption, and signing. + * **Identity Verification Only** : Both client and server authentication required. + * **Tamper Protection Only** : Data integrity verification during transmission. + * **Encryption Only** : Data encryption during transmission. + * **Authentication with Integrity** : Authentication with data integrity checks. + * **Authentication with Encryption** : Authentication with encryption. + * **Secure Data** : Data integrity and encryption combined. + * **No Protection** : No additional security requirements. + +