Editing Amazon Managed Microsoft AD directory security settings
You can configure fine-grained directory settings for your Amazon Managed Microsoft AD to meet your compliance and security requirements without any increase in operational workload. In directory settings, you can update secure channel configuration for protocols and ciphers used in your directory. For example, you have the flexibility to disable individual legacy ciphers, such as RC4 or DES, and protocols, such as SSL 2.0/3.0 and TLS 1.0/1.1. Amazon Managed Microsoft AD then deploys the configuration to all domain controllers in your directory, manages domain controller reboots, and maintains this configuration as you scale out or deploy additional Amazon Web Services Regions. For all available settings, see List of directory security settings.
Edit directory security settings
You can configure and edit settings for any of your directories.
To edit directory settings
Sign in to the Amazon Management Console and open the Amazon Directory Service console at https://console.aws.amazon.com/directoryservicev2/
. On the Directories page, choose your directory ID.
Under Networking & security, find Directory settings, and then choose Edit settings.
In Edit settings, change the Value for the settings that you want to edit. When you edit a setting, its status changes from Default to Ready to Update. If you have edited the setting previously, its status changes from Updated to Ready to Update. Then, choose Review.
In Review and update settings, see Directory settings and make sure that the new values are all correct. If you want to make any other changes to your settings, choose Edit settings. When you’re satisfied with your changes and ready to implement the new values, choose Update settings. Then, you’re taken back to the directory ID page.
Note
Under Directory settings, you can view the Status of your updated settings. While settings are implemented, the Status displays Updating. You cannot edit other settings while a setting displays Updating under Status. The Status displays Updated if the setting successfully updates with your edit. The Status displays Failed if the setting fails to update with your edit.
Failed directory security settings
If an error occurs during a settings update, the Status displays as Failed. In a failed status, the settings do not update to the new values, and the original values remain implemented. You can retry updating these settings or revert them to their previous values.
To resolve failed updated settings
Under Directory settings, choose Resolve failed settings. Then, do one of the following:
To revert your settings back to their original value before the failure state, choose Revert failed settings. Then, choose Revert in the pop-up modal.
To retry updating your directory settings, choose Retry failed settings. If you want to make additional changes to your directory settings before retrying the failed updates, choose Continue editing. On Review and retry failed updates, choose Update settings.
List of directory security settings
The following list shows the type, setting name, API name, potential values, and setting description for all available directory security settings.
TLS 1.2 and AES 256/256 are the default directory security settings if all other security settings are disabled. They cannot be disabled.
Type | Setting name | API name | Potential values | Setting description |
---|---|---|---|---|
Certificate Based Authentication | Certificate Backdating Compensation | CERTIFICATE_BACKDATING_COMPENSATION |
Years: 0 to 50 Months: 0 to 11 Days: 0 to 30 Hours: 0 to 23 Minutes: 0 to 59 Seconds: 0 to 59 |
Specify a value to indicate the length of time that a certificate can predate a user in Active Directory and still be used for authentication in Active Directory. The default value is 10 minutes. You can set this value from 1 second to 50 years. To configure this setting, you must select the Compatibility type for Strong Certificate Binding Enforcement. For more information, see KB5014754—Certificate-based authentication changes on Windows domain controllers |
Certificate Strong Enforcement | CERTIFICATE_STRONG_ENFORCEMENT | Compatibility, Full Enforcement | Specify either of the following enforcement types:
For more information, see KB5014754—Certificate-based authentication changes on Windows domain controllers |
|
Secure Channel: Cipher | AES 128/128 | AES_128_128 | Enable, Disable | Enable or disable the AES 128/128 encryption cipher for secure channel communications between domain controllers in your directory. |
DES 56/56 | DES_56_56 | Enable, Disable | Enable or disable the DES 56/56 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC2 40/128 | RC2_40_128 | Enable, Disable | Enable or disable the RC2 40/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC2 56/128 | RC2_56_128 | Enable, Disable | Enable or disable the RC2 56/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC2 128/128 | RC2_128_128 | Enable, Disable | Enable or disable the RC2 128/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC4 40/128 | RC4_40_128 | Enable, Disable | Enable or disable the RC4 40/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC4 56/128 | RC4_56_128 | Enable, Disable | Enable or disable the RC4 56/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC4 64/128 | RC4_64_128 | Enable, Disable | Enable or disable the RC4 64/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
RC4 128/128 | RC4_128_128 | Enable, Disable | Enable or disable the RC4 128/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
Triple DES 168/168 | 3DES_168_168 | Enable, Disable | Enable or disable the Triple DES 168/168 encryption cipher for secure channel communications between domain controllers in your directory. | |
Secure Channel: Protocol | PCT 1.0 | PCT_1_0 | Enable, Disable | Enable or disable the PCT 1.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. |
SSL 2.0 | SSL_2_0 | Enable, Disable | Enable or disable the SSL 2.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. | |
SSL 3.0 | SSL_3_0 | Enable, Disable | Enable or disable the SSL 3.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. | |
TLS 1.0 | TLS_1_0 | Enable, Disable | Enable or disable the TLS 1.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. | |
TLS 1.1 | TLS_1_1 | Enable, Disable | Enable or disable the TLS 1.1 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. |