Configure directory security settings - AWS Directory Service

Configure directory security settings

You can configure fine-grained directory settings for your AWS Managed Microsoft AD to meet your compliance and security requirements without any increase in operational workload. In directory settings, you can update secure channel configuration for protocols and ciphers used in your directory. For example, you have the flexibility to disable individual legacy ciphers, such as RC4 or DES, and protocols, such as SSL 2.0/3.0 and TLS 1.0/1.1. AWS Managed Microsoft AD then deploys the configuration to all domain controllers in your directory, manages domain controller reboots, and maintains this configuration as you scale out or deploy additional AWS Regions. For all available settings, see List of directory security settings.

Edit directory security settings

You can configure and edit settings for any of your directories.

To edit directory settings
  1. Sign in to the AWS Management Console and open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/.

  2. On the Directories page, choose your directory ID.

  3. Under Networking & security, find Directory settings, and then choose Edit settings.

  4. In Edit settings, change the Value for the settings that you want to edit. When you edit a setting, its status changes from Default to Ready to Update. If you have edited the setting previously, its status changes from Updated to Ready to Update. Then, choose Review.

  5. In Review and update settings, see Directory settings and make sure that the new values are all correct. If you want to make any other changes to your settings, choose Edit settings. When you’re satisfied with your changes and ready to implement the new values, choose Update settings. Then, you’re taken back to the directory ID page.

    Note

    Under Directory settings, you can view the Status of your updated settings. While settings are implemented, the Status displays Updating. You cannot edit other settings while a setting displays Updating under Status. The Status displays Updated if the setting successfully updates with your edit. The Status displays Failed if the setting fails to update with your edit.

Failed directory security settings

If an error occurs during a settings update, the Status displays as Failed. In a failed status, the settings do not update to the new values, and the original values remain implemented. You can retry updating these settings or revert them to their previous values.

To resolve failed updated settings
  • Under Directory settings, choose Resolve failed settings. Then, do one of the following:

    • To revert your settings back to their original value before the failure state, choose Revert failed settings. Then, choose Revert in the pop-up modal.

    • To retry updating your directory settings, choose Retry failed settings. If you want to make additional changes to your directory settings before retrying the failed updates, choose Continue editing. On Review and retry failed updates, choose Update settings.

List of directory security settings

The following list shows the type, setting name, API name, potential values, and setting description for all available directory security settings.

TLS 1.2 and AES 256/256 are the default directory security settings if all other security settings are disabled. They cannot be disabled.

Type Setting name API name Potential values Setting description
Certificate Based Authentication Certificate Backdating Compensation CERTIFICATE_BACKDATING_COMPENSATION

Years: 0 to 50

Months: 0 to 11

Days: 0 to 30

Hours: 0 to 23

Minutes: 0 to 59

Seconds: 0 to 59

Specify a value to indicate the length of time that a certificate can predate a user in Active Directory and still be used for authentication in Active Directory. The default value is 10 minutes. You can set this value from 1 second to 50 years.

To configure this setting, you must select the Compatibility type for Strong Certificate Binding Enforcement.

For more information, see KB5014754—Certificate-based authentication changes on Windows domain controllers in the Microsoft Support documentation.

Certificate Strong Enforcement CERTIFICATE_STRONG_ENFORCEMENT Compatibility, Full Enforcement

Specify either of the following enforcement types:

  • Compatibility (default): Authentication is allowed if a certificate can't be strongly mapped to a user. If the certificate predates the user account in Active Directory, you must also set Certificate Backdating Compensation, or authentication will fail.

  • Full Enforcement: Authentication isn't allowed if a certificate can't be strongly mapped to a user. If you choose this enforcement type, Certificate Backdating Compensation can't be configured.

For more information, see KB5014754—Certificate-based authentication changes on Windows domain controllers in the Microsoft Support documentation.

Secure Channel: Cipher AES 128/128 AES_128_128 Enable, Disable Enable or disable the AES 128/128 encryption cipher for secure channel communications between domain controllers in your directory.
DES 56/56 DES_56_56 Enable, Disable Enable or disable the DES 56/56 encryption cipher for secure channel communications between domain controllers in your directory.
RC2 40/128 RC2_40_128 Enable, Disable Enable or disable the RC2 40/128 encryption cipher for secure channel communications between domain controllers in your directory.
RC2 56/128 RC2_56_128 Enable, Disable Enable or disable the RC2 56/128 encryption cipher for secure channel communications between domain controllers in your directory.
RC2 128/128 RC2_128_128 Enable, Disable Enable or disable the RC2 128/128 encryption cipher for secure channel communications between domain controllers in your directory.
RC4 40/128 RC4_40_128 Enable, Disable Enable or disable the RC4 40/128 encryption cipher for secure channel communications between domain controllers in your directory.
RC4 56/128 RC4_56_128 Enable, Disable Enable or disable the RC4 56/128 encryption cipher for secure channel communications between domain controllers in your directory.
RC4 64/128 RC4_64_128 Enable, Disable Enable or disable the RC4 64/128 encryption cipher for secure channel communications between domain controllers in your directory.
RC4 128/128 RC4_128_128 Enable, Disable Enable or disable the RC4 128/128 encryption cipher for secure channel communications between domain controllers in your directory.
Triple DES 168/168 3DES_168_168 Enable, Disable Enable or disable the Triple DES 168/168 encryption cipher for secure channel communications between domain controllers in your directory.
Secure Channel: Protocol PCT 1.0 PCT_1_0 Enable, Disable Enable or disable the PCT 1.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory.
SSL 2.0 SSL_2_0 Enable, Disable Enable or disable the SSL 2.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory.
SSL 3.0 SSL_3_0 Enable, Disable Enable or disable the SSL 3.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory.
TLS 1.0 TLS_1_0 Enable, Disable Enable or disable the TLS 1.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory.
TLS 1.1 TLS_1_1 Enable, Disable Enable or disable the TLS 1.1 protocol for secure channel communications (Server and Client) on the domain controllers in your directory.