DEPARTEMENT OF THE NAVY

HEADQUARTERS UNITED STATES MARINE CORPS

3000 MARINE CORPS PENTAGON
WASHINGTON, DC 20350-3000

IN REPLY REFER TO:

5231/01C
C4
16 Aug 2018

From: Director, Command, Control, Communications, and Computers (C4)

Department

Subj: ENTERPRISE SERVICE ROLES, RESPONSIBILITIES, AND PERMISSIONS GUIDE

Ref: (a) MCO 5271-01C

Encl: (1) Information Resources Management (IRM) 5231-01 V 3.0 Enterprise

Service Roles, Responsibilities, and Permissions Guide

1. Purpose. To update and outline the technical security roles and

responsibilities for supporting regionally hosted Marine Corps Enterprise
Services. This document defines standard and recommended access control
entries on Active Directory integrated and Non-Active Directory integrated
enterprise systems. This guide includes the Marine Corps Enterprise Network
Active Directory Organizational Unit structure and permissions and is
applicable to both classified and unclassified Enterprise Services.

2. Cancellation. This IRM 5231-01 version 3.0 effectively cancels all

previous IRM 5231-01 documents. In order to remain current on emerging
technologies and programs across the MCEN, this document will be reviewed
every six months and updated accordingly.

3. Authority. The information promulgated in this publication is based upon

policy and guidance contained in the reference.

4. Applicability. This publication is applicable to the entire Marine

Corps.

5. Scope

a. Compliance. Compliance with the provisions of this publication is

required unless a specific waiver is requested.

b. Waivers. Waivers to the provisions of this publication will be

authorized by the Commanding General, Marine Forces Cyberspace Command.

6. Sponsor. The sponsor of this technical publication is HQMC C4/CP.

L. M. MAHLOCK

Distribution Statement A: Approved for public release; distribution is unlimited.

PCN 18623001700
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

MARINE CORPS INFORMATION RESOURCES MANAGEMENT (IRM)

5231-01

ENTERPRISE SERVICE ROLES, RESPONSIBILITIES, AND PERMISSIONS

GUIDE

August 15, 2018

Version 3.0

Headquarters United States Marine Corps (HQMC) Command, Control,

Communications, and Computers (C4) Plans and Policy (CP) Division

2
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Revision History
Document Date Revision Made By Description of Revisions Pg #
Revision #
1.0 August 2011 HQMC C4/CP Signed Initial Release
2.0 November Jim Calvin Updates throughout, including
2015 expansion of tactical
2.1 August 2016 Maj Shannon Clancy Updates to all All
2.1 August 2016 Jim Calvin Comments / review All
2.2 February 2017 Jim Calvin Updated MCNOSC references to All
MCCOG
2.3 January 2018 Jim Calvin Added Service Accounts section
2.3.1 8 June 2018 Capt Aaron Mora Added to Tactical-Extensions
2.4 19 June 2018 Maj Joni Ong Updates to all from DON Tracker CRM All
3.0 31 July 2018 Jeff Hunter Signed Release

3
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Table of Contents

1. Introduction ......................................................................................................................................... 5
2. Purpose ................................................................................................................................................ 5
3. AD Methodology .................................................................................................................................. 6
4. Considerations...................................................................................................................................... 8
Regional Boundary Concept...................................................................................................................... 8
Windows Credential Theft Mitigation ...................................................................................................... 9
Account/Object Retention ........................................................................................................................ 9
Service Accounts ....................................................................................................................................... 9
Tactical Extensions OU ............................................................................................................................ 10
Programs of Record OU .......................................................................................................................... 10
Staging OU............................................................................................................................................... 10
5. Roles and Responsibilities .................................................................................................................. 11
Appendix A. Enterprise Permissions ........................................................................................................... 12
Appendix B. MCEN Active Directory OU Structure ..................................................................................... 21
Appendix C. Windows Credential Theft Use Cases ..................................................................................... 22
Appendix D. Active Directory OU Modification Process ............................................................................. 26
Appendix F. Group Policy Objects Modification/Request Process ............................................................. 28
Appendix G. References .............................................................................................................................. 29

4
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

1. Introduction

In order to maintain cybersecurity and information dominance, the Marine Corps must provide an
information environment that is both secure and supportive of operational requirements. This balance
for Directory Services is achieved through the management and maintenance of the Active Directory
(AD) Forests and Domains supporting Marine Corps applications, users, and devices. Permissions (user
and administrative) and the AD Organizational Unit (OU) structure are critical elements that enable
effective management and security of systems. The Marine Corps Strategy for Assured Command and
Control, published in March 2017, states that Marine Corps Command and Control is best realized via an
“interoperable and resilient MCEN.” The Marine Corps Enterprise Network (MCEN) is the Marine Corps’
network of networks and approved interconnected network segments. It comprises people, processes,
logical and physical infrastructure, architecture, topology, and Cyberspace Operations. Furthermore,
the MCEN incorporates elements of:

 Operations and maintenance functions that provision data transportation, enterprise services,
network services, and boundary defense
 Programs of Record that provide network services to forward deployed forces

The Secret Internet Protocol Routed Network (SIPRNet) Concept of Employment (COE) established the
delegation of functional support responsibility for Information Technology (IT) services and capabilities
under a regional construct. In this document, regional refers to the eight MITSCs named in the SIPRNet
COE until it is superseded by revised or updated documentation. These services and capabilities are
broken down into three main categories:

 Security/Network Assurance
 Enterprise
 Regional/Local

This guide addresses enterprise services in support of garrison operations. Deployed MCEN (DMCEN)
Concept of Operations (CONOPS) will be published in future updates to this publication. Enterprise
services are those provided, operated, and maintained by the Marine Corps Cyberspace Operations
Group (MCCOG). Generally, enterprise services are the common physical/virtual infrastructure,
applications, and services operated and managed in support of all users and organizations across the
Marine Corps. This enterprise implementation provides a dependable, robust, and secure
communication backbone that includes high availability/disaster recovery and supports missions across
the Marine Corps.

2. Purpose

5
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

The purpose of this document is to provide the overarching guidance for enterprise roles,
responsibilities and permissions as they pertain to the operations and maintenance roles and
responsibilities for supporting regionally hosted Marine Corps enterprise services. This document also
defines standard (required) and situationally dependent access control entries on AD/AD-integrated and
non-AD integrated systems in support of the following core services:

 Identity
 Access Management
 Collaboration
 Data Management

Operating enterprise services without aligning permission assignments to directly support roles and
functions increases risk to the MCEN. Clarifying the responsibilities for each organization and defining
clear boundaries improves the security posture and minimizes impact to services caused by change
(particularly incorrect change caused either by human error or malicious intent). While protecting the
information environment, the permission delegation identified in this guide also empowers MITSCs,
Base/Station (B/S), Operational Forces (OPFORs) commands, and Programs of Record to deliver the
highest level of support to end users.

Security principles highlighted through this guide include:

 Least Privilege – Grant administrators only the permissions required to perform their duties.
 Decentralized Administration – Position most administrative activity as close to the end user as
possible for faster, more accurate resolution of issues.
 Tiered Administration – Establish a supporting chain of administrators for issue escalation that
narrows to the engineers of the solution, including centralized vendor support.
 Role Based Administration – The permissions model is designed to be aligned to administrative
functions instead of individual users in order to ease the establishment and maintenance of
security groups.
 Ease of Use – Automated operations and reporting.
 Auditing – Provide oversight of administrative procedures in order to increase transparency and
efficiency.
 Standardization – Issue permissions and conduct activities in the same manner across regional
and administrative boundaries throughout MCEN and DMCEN environments enabling support to
users and objects within respective areas of operations and responsibility.

3. Active Directory Methodology

As a key element of MCEN unification, AD logical structure on the SIPRNet, Marine Corps Worldwide
(MCW) and Non-Secure Internet Protocol Router Network (NIPRNet) MCDS forests have been
restructured to support regionalization requirements. In order to ensure permissions can be delegated

6
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

securely, and with the most flexibility to respond to mission requirements, security groups and nesting
are being leveraged as the foundation.

Groups have been created at each OU administrative level to support AD logical administration and to
lay a framework to facilitate administration of AD-aware services, such as Exchange or SharePoint.

At the core of the enterprise, MCCOG manages all aspects of directory services that are essential to
ensuring the uninterrupted delivery of directory services worldwide. This includes, but is not limited to,
the following administrative tasks:

 Adding and removing domain controllers

 Managing and monitoring replication
 Ensuring the proper assignment and configuration of operations master roles
 Ensuring the recoverability of the directory services databases
 Managing domain and domain controller security policies
 Configuring directory service parameters, such as setting the functional level of a forest
 Defining and linking Group Policy Objects (GPOs) for the enterprise

In the MCEN environment, user support is provided based on geographic location and the Command
and Control (C2) reporting structure established in accordance with (IAW) Marine Corps Bulletin
(MCBUL) 3100. Each region is responsible for managing the content that is stored and protected by AD
and non-AD enterprise systems. Permissions for the management and use of enterprise systems are
identified within Appendix A of this guide and shall be granted accordingly. Data management tasks
include, but are not limited to, managing the following content:

 User accounts, which represent the identities of people who use the network
 Computer accounts, which represent the computers that are joined to domains in the AD forest;
these may be server, printers, or workstation objects
 Wireless handheld devices
 Mailbox administration
 Distribution and delegation of workstation management, which includes managing all aspects of
end-user workstations
 Identification and requests for application of GPOs in support of regional requirements

While detailed, AD OU structure changes based on operational requirements; in general terms, the OU
structure can be broken down into the following levels or tiers (also visually depicted within Appendix
B):

 USMC – The top level OU within the AD, which houses non-default AD objects, domain
controllers, and contacts.
 MCCOG/MITSC – Directly under the USMC OU, this tier provides appropriate levels of
permissions to manage the users, computers, and data within their respective regions.
Administrators within this OU have their system access and authorization requests vetted by the
MCCOG.

7
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

 Base/Stations (B/S) – Specific to each region, these OUs fall under the MITSC, and permissions
are delegated by appropriate regional G-6 in order to support mission requirements.
 Tenant/Supported Commands (T/SC) – Specific to each region, these OUs fall under supporting
regional MITSC and Base/Stations; permissions are delegated by appropriate regional G-6 in
order to support mission requirements.
 Programs of Record (POR) – OUs created under the USMC root containment systems that
cannot be patched, accept default security policies, or be managed in the same manner as
baseline MCEN systems. POR OUs sit at the MITSC level but have differing permissions to affect
their respective objects and required administration.
 Tactical-Extensions (TE) – Tactical Extension OUs are in place to support DMCEN. It also sits at
the MITSC level and is intended to enable deployed users with permissions needed to support
mission requirements.
 USMC Enterprise Administration – This folder is specific to Forest level administrative activity
and is populated by a restricted number of MCCOG administrators only.
 USMC Enterprise Servers – This folder supports those servers performing enterprise service
functions and is managed and maintained by MCCOG administrators.

4. Considerations

Regional Reporting Concept

MCBUL 3100 establishes the C2 reporting structure that aligns to four Regional Network Operations and
Support Centers (RNOSCs) and eight Regional MITSCs. Those RNOSCs are defined below with the
corresponding MITSC alignment:

 RNOSC – LANT
o MITSC East
o MITSC EUR
 RNOSC – NCR
o MITSC NCR
o MITSC HQMC
 RNOSC – RES
o MITSC RES
 RNOSC – PAC
o MITSC West
o MITSC WestPac
o MITSC MidPac

The OU structure and permissions model have been aligned to best support Marine Corps users under
this construct. Any requests for change should be submitted through MARFORCYBER IAW Appendices D
and F via the Request Fulfillment SOP, Appendix G, reference O.

8
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Windows Credential Theft Mitigation

Windows credential theft is a technique in which an attacker initially gains highest privilege (root,
Administrator, or System, depending on the OS) access to a computer on a network and then uses freely
available tools to extract credentials from sessions of other active accounts. The goal of this type of
attack is to gain credentials of privileged (administrator) or “Very Important Person” (VIP) accounts.
Compromise of either type of credential poses a threat/risk to operations within the MCEN.

In order to counter this risk, several mitigating actions have been implemented. Role-based permission
models have been established to align with industry best practice to support mission requirements at
the lowest level. Additionally, delineation between administrator and normal user account activity is
enforced through the use of privileged access workstations (PAWs). PAWs provide a dedicated OS for
sensitive tasks that are protected from Internet attacks. Administrators must request specific role-
based permissions and use PAWs to access the required tools, via Utility and Jump servers to provide
data management and administration within their designated area of responsibility. Appendix C
illustrates use cases for each administrative activity; these are also further defined in the Utility Server
Design (Appendix G, reference P).

Account/Object Retention
The U.S. National Archives and Records Administration (NARA) mandated that all Federal Agencies
implement a Capstone approach for email management and retention. General Records Schedule 6.1:
Email Managed under a Capstone Approach (Appendix G, reference E) identifies individuals who are
classified as a Capstone Official. Records of Capstone Officials are considered permanent records that
must be retained by the agency and later transferred to NARA. The policy also mandates that emails of
Non-Capstone officials must be maintained for seven years; emails of support and administrative
personnel must be retained for three years.

Dormant user objects/accounts within AD can serve as a gateway for attackers to access the Marine
Corps information environment. Data and licensing resources are taxed by maintaining these accounts
on the MCEN. For these reasons, it is critical that established policy is followed relating to dormant
account management and maintenance. AD administrators shall adhere to guidance identified within
MARFORCYBER FRAGO 008 and ECSM 007 (Appendix G, reference C) for account disabling and/or
deactivation. Accounts/objects that were disabled will remain within the AD OU until automated data
retention policies are implemented.

Service Accounts
Service accounts are AD user objects or Group Managed Service Account objects that have been created
within AD and placed in a specific OU based on the administrative tier (MCCOG, MITSC, PoR) that is
responsible for its management. Service accounts facilitate the execution of a service process on a
computer that requires certain permissions. Services use the service accounts to log on and make
changes to the OS or configuration. Service accounts are critical to the management of a particular
service and must be established within the appropriate AD OUs (i.e., T/SC and Tactical Extension OUs to

9
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

support DMCEN operations) for continuous operations and management of services. IAW Appendix A,
only MCCOG has the responsibility to create and manage service accounts.

In adherence with the MARFORCYBER requirement to tighten identity and access management
practices, the requirement for service accounts must follow a stringent process. Service accounts are
placed in two groups upon creation: one that prevents them from being Smart Card enforced for
interactive log-on, and one that denies them interactive log-on on Windows operating systems in the
unified forest.

For a service account to have value, it must belong to one or more control groups so that it can
accomplish the set of tasks enabled by that membership. The application/service owner is responsible
for identifying the set of tasks that a service account must be allowed to execute. Service accounts must
adhere to existing FRAGO and STIG requirements, must be registered in the application/service
delegated permissions model, and must use the MCEN Naming Standard for Application and Systems
(Appendix G, reference L) in the construction of their names.

Tactical Extensions Organizational Unit

The Tactical-Extensions OU structure identified within AD will allow Commanders to deploy essential
Enterprise services and information resources without the need to establish tactical domains and create
new user identities. This concept is described in the DMCEN COE (Appendix G, reference A) signed in
2017. The DMCEN Technical Implementation Guide (TIG) (Appendix G, reference B) and the future
DMCEN CONOPS will provide procedures on how the Marine Corps will implement tactical extensions.
This document will focus on administration of Enterprise services and applications approved to reside on
MCEN tactical extensions once the DMCEN CONOPS and DMCEN TIG are officially released. As the
CONOPS matures, this guide will be updated to reflect established permissions.

Programs of Record Organizational Unit

PORs are those systems or applications that are not operated and maintained but are supported by the
MCCOG. In general, PORs are systems and applications that are not enterprise services or systems such
as MCEN end user devices. PORs may be AD integrated; however, system configurations are maintained
by acquisition commands such as Marine Corps Systems Command or NAVAIR. As depicted within
Appendix A, POR objects that are AD integrated will be located within POR OUs that are in the same
tier/level as the MITSCs since PORs have unique requirements that, in some cases, will not allow full
functionality if standard enterprise security policies and settings are applied. Additionally, the
administration of POR objects may differ from “standard” user and computer objects. The POR
Playbook, Appendix G, reference F, further identifies the process for AD OU creation, group policy
implementation and the modification process, as well as other requirements to operate on the MCEN.

Staging OU
The Staging OU exists to allow for object movement between MITSC OUs. No MITSC administrator can
delete objects within a different MITSC's OU branch. Therefore, in order to move computers or users
between MITSC OUs establishment of a transition area was required. Source MITSC administrators
(where the user or computer is coming from) move relevant object(s) into Staging. Destination MITSC
10
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

administrators then move the object(s) from Staging to an appropriate destination OU. The Staging OU
shall not be used as a repository for disabled or expired user objects, nor for TAD/TDY or
deployed users.

5. Roles and Responsibilities

Roles and responsibilities outlined within this section are further delineated within Appendix A.
Appendix A specifically identifies the entities conducting operations and maintenance roles throughout
the MCEN (MCCOG, MITSC, POR managers) and the level of permissions provided to each role
(tier/level) respective to each enterprise system.

MCCOG
MCCOG is accountable and responsible for the operations and maintenance of enterprise service
equipment/infrastructure throughout the MCEN. They also maintain authority for MCEN AD OU
structure and permissions delegation, as well as administering objects and their containers at the
enterprise level. Management of AD objects supporting MARFORCYBER, Enterprise Service Desk, and
MCCOG Detachments also fall under the MCCOG.

MITSC
MITSCs are accountable and responsible for operations and maintenance functions of enterprise
systems within their respective region as identified within Appendix A. Additionally, MITSCs have the
ability to support inherited functions down to the B/S and T/SC level as defined within Appendix A and
modify membership to subordinate OU security groups. Any escalation of support required shall be
coordinated with the MCCOG.

Base/Station (B/S)
Base/Station Commands are accountable and responsible for operations and maintenance functions of
enterprise systems within their respective area or region as identified in Appendix A. Any escalation of
support required shall be coordinated with their supporting MITSC.

Tenant/Supported Command (T/SC)

Tenant/Supported Commands are accountable and responsible for operations and maintenance
functions of enterprise systems as identified in Appendix A. Tenant/Supported Commands may be
OPFOR commands or other supporting establishment commands that fall within a MITSC’s and B/S’s
area of responsibility. Any escalation of support required shall be coordinated with their respective
supporting B/S and/or MITSC. Permissions will be requested and granted as required via the MITSC.

Major Subordinate Commands (MSC)

Major Subordinate Commands are accountable and responsible for enterprise directory, messaging and
file-sharing functions when operating in a DMCEN environment. Identified MSCs, or MEF G-6/Network
Operations administrators (who may also be administrators for T/SC AD objects), are accountable and
11
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

responsible for specific enterprise directory, messaging, file sharing, domain controller, DHCP, and DNS
functions that will be outlined in this section in the future. These services are intended to provide
Operational Commanders required support when operating in network-denied situations while in a
DMCEN architecture. This section will be updated as DMCEN CONOPS further matures. Permissions will
be requested and granted as required. The process in which permissions are granted, AD objects are
moved from a T/SC OU to a Tactical Extensions OU, and incidents/work orders are escalated will be
described further with DMCEN documentation.

Major Subordinate Elements (MSE)

Major Subordinate Elements are accountable and responsible for enterprise directory, messaging and
file-sharing functions when operating in a DMCEN environment. MSEs, or DIV/MLG/MAW G-6/Network
Operations administrators (who may also be administrators for T/SC AD objects), are accountable and
responsible for specific enterprise functions that will be outlined in this section in the future. These
services are intended to provide Operational Commanders required support when operating in network
denied environments while in a DMCEN architecture. This section will be updated as DMCEN CONOPS
further matures. Permissions will be requested and granted as required. The process in which
permissions are granted, AD objects are moved from a T/SC OU to a Tactical Extensions OU, and
incidents/work orders are escalated will be further identified with DMCEN documentation.

Cyber Protection Teams (CPT)

CPTs serve as the quick reaction defensive force responding to network intrusions. CPTs may be
required to have full control and at a minimum, read rights, to enterprise systems and applications.
Permissions will be requested and granted as required via the MCCOG.

HQMC C4/CY ICE DEMon/White Team

The Marine Corps Institutional Cybersecurity Enterprise Defense Monitoring Team (ICE DEMon Team),
also known as the "White Team," independently identifies and validates vulnerabilities on all systems
and network devices in order to reduce the overall risk to the MCEN. In order to perform vulnerability
assessment activities on a continual basis, the White Team requires administrative access to all MCEN
information systems. System/application access is granted via the Marine Authorizing Official and the
MCCOG.

POR
POR managers are accountable and responsible for operations and maintenance functions of enterprise
systems as identified in Appendix A in their respective area of responsibility/region and IAW the POR
Playbook (Appendix G, reference F). Permissions will be requested and granted as required via the
MCCOG.

Appendix A. Enterprise Permissions

The following permissions are assigned in order to enable organizations to execute the roles and

12
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

responsibilities as identified within the MCBUL 3100. The delegation of permissions has been designed
to allow maximum flexibility within all organizations while maintaining a defensive and secure posture
for the enterprise. Certain permissions will only need to be applied once for the given forest/domain or
MITSC datacenter, and then applied as required for delegation below the MITSC. Permissions identified
within the RASCI chart are codified in support and control security groups and defined within each
system’s delegated permissions model. This Appendix will be updated as enterprise technologies and
services are added or decommissioned throughout the MCEN.

Callouts Notes
(a) Limited create/delete based on the parent container. Full control over created leaf objects
(b) Default assumption for Program of Record OUs is UNMANAGED at top level, MANAGED at MITSC level
(c) Sites, Site Connectors, Subnets, Manual Replication Connections
(d) Includes administrative security groups for B/S
(e) Includes administrative security groups for T/SC
(f) Support of public folders is decremented. SharePoint shared mailboxes, or Exchange resource mailboxes
(g) Enterprise Service Desk
(h) Start and stop virtual machines
(i) Includes initial connection setup of scanners

Program of Record
Tenant/Supported
F=Full Control

Base/Station
E=Enterprise

M=Modify (Add, remove, change)

D=DMCEN

Command
MCCOG

MITSC

W=Write (Add, remove)

R=Read (Read, audit, use/execute)
*=Inherited permissions
blank=No access

Administer means to Add, Change, Remove, Configure

ACAS
E Administer Security Center servers F
E Administer Nessus Scanner servers F
E Administer Security Center application (i) F
E Run scans scoped to the enterprise W
E Run scans scoped to the MITSC * W
E Run scans scoped to the B/P/C/S * * W
E Run scans scoped to the T/SC * * * W
E Run scans scoped to the POR * W
ADFS
E Add ADFS Server to Farm F
E Add WAP Server to Farm F

13
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

E Add / Change Claims Provider F

E Add / Change Replying Party Trust F
E Update Certificates F
BES
E Administer BES Server F
E Administer Devices & Users (See also Messaging) F M W W
Change Auditor
E Administer Change Auditor server F
E Administer Change Auditor application F
E Generate reports F M M M M
Cisco ACS
E Administer ACS Appliance F
E Administer ACS Software Instance F
E Administer Account and Device Management F
Desired State Configuration
E Administer DSC pull web server F
Administer configuration Management Object Files
E (MOF) F
E Verify DSC implementation on enterprise servers F
E Verify DSC implementation on MITSC servers * M
E Verify DSC implementation on B/S servers * * M
E Verify DSC implementation on T/SC servers * * * M
E Verify DSC implementation on POR servers * R R R(b)
Distributed File System
E Administer DFS servers F
E Administer DFS namespace F
E Submit share UNC paths * F
E Administer DFS replication groups F
DNS - External
E Administer public DNS servers F
E Administer public DNS zones F
DNS - Internal
E Administer internal standalone DNS servers F R R R R
E Administer domain controllers F R R R R
E Administer enterprise DNS zones F R R R R
F5
E Administer F5 appliance F
E Audit F5 configuration and logs R
Forward Proxy
E Administer Forward Proxy application and server F
Forward Proxy Reporter

14
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

E Administer BC Reporter F
E Run Reports BC Reporter R R R R
HBSS
E Administer, manage, and maintain MCEN HBSS servers F
Installs/maintains the HBSS point-products on the HBSS
E servers F
E Create and maintain MCEN HBSS accounts F
E Administer permissions for MCEN HBSS accounts F
E Create and maintain MCEN HBSS policies F
Implement HBSS modules and policies IAW policies and
E directives F
E Virus Scan Enterprise administration F R R R
E Host Intrusion Prevention System (HIPS) administration F R R R
E Rogue Systems Detection administration F R R R
E Data Loss Prevention (DLP) administration F R R R
E Policy Auditor (PA) F R R R
E Asset Configuration and Compliance F R R R
E Implement HBSS modules at the MITSC level * W R R
E Implement HBSS modules at the B/S level * * W R
E Implement HBSS modules at the T/SC level * * * W
E Administer top level organizational structure F
E Administer the organizational structure at MITSC level * M R R
E Administer the organizational structure at B/S level * * M R
E Administer the organizational structure T/SC level * * * M
E Create, edit, view, run, and terminate Scheduler tasks F R R R
E Patch and update HBSS servers F
Identity and Access Management
E Administer root domain controllers F
E Administer child domain controllers F
E Administer organizational units F R R R R
E Administer leaf objects at MITSC level (d) * F(a) R R R
E Administer leaf objects at B/S level (e) * * F(a) R R
E Administer leaf objects at T/SC level * * * F(a) R
E Administer leaf objects at POR level * R R R F(a)(b)
E Administer leaf objects at MITSC level under POR * F(a) R R *
E Administer group policy objects F R R R R
E Administer group policy links and link order F R R R R
E Administer forest FSMO roles F R R R R
E Administer domain FSMO roles F R R R R
E Administer AD Integrated DNS Zones F R R R R
E Administer service accounts F R R R R

15
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

E Administer AD Physical Components (c) F R R R R

E Administer AD Schema F R R R R
E Administer forest and domain trusts F R R R R
E Administer USMC Enterprise Servers leaf objects F R R R R
E Administer USMC Enterprise Administration leaf objects F R R R R
IP Address Management
E Administer IPAM - Enterprise F R
E Administer IPAM - MITSC * M *
E Administer IPAM - B/S * * M *
Key Management Service
E Obtain licenses from MCSELMS F
E Administer KMS servers F
MEMS
E Administer MEMS services and servers F
E Manage end-user views (BSM) F M M
E Manage Operations Agent and policies (OMW) F R R
E Manage network device discovery (NNM) F R R
E Manage network device configuration (NA) F M M
E Manage Configuration Item collections (UCMDB) F R R
E Manage end-user access to web F R R
Messaging
E Administer messaging services and servers F R R R
E Administer organizational level configuration settings F R R R
E Administer mailbox settings at MITSC level * M R R
E Administer mailbox settings at B/S level * * M R
E Administer mailbox settings at T/SC level * * * M
E Administer distribution groups at MITSC level * M R R
E Administer distribution groups at B/S level * * M R
E Administer distribution groups at T/SC level * * * M
E Administer top level public folders F
E Administer public folders at MITSC level * M R R
E Administer public folders at B/S level * * M R
E Administer public folders at T/SC level * * * M
E Administer global address list F
G Administer GFE handhelds at MITSC level (See also BES) F
G Administer GFE handhelds at B/S level (See also BES) F
G Administer GFE handhelds at T/SC level (See also BES) F

16
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

OPDRS
E Administer OPDRS Users F
E Administer OPDRS Structure Hierarchy F
E Draft and Release Directives, Advisories, and MDTMs F R R R R
E Report Compliance F M M M M
E Manage POA&Ms F M M M M
E Administer Servers and Services F
E Administer Web Applications F
Public Key Infrastructure
E Administer Certificate Authorities F
E Administer Center Servers F
E Administer OCSP Responders F
E Administer Support Servers F
E Administer OCSP Repeaters F
E Manage CAC PIN Reset Workstations F
E Administer leaf objects at POR level F
E Administer group policy objects at POR level F R R R M
E Administer group policy links and link order at POR level F R R R M
Remedy
E Remedy Admin - add users, manage workflow, etc. F
E Administer Remedy servers F
Remote Desktop Services
E Administer enterprise licensing servers F
E Administer enterprise RDS session hosts F
E Administer enterprise RDS environment F
E Administer enterprise RDS GPO settings F
E Administer command licensing servers F
E Administer command RDS session hosts F
E Administer command RDS environment F
E Administer command RDS GPO settings F R
Reverse Proxy
E Administer Threat Management Gateway servers F
E Administer Threat Management Gateway configuration F
E Administer Web Application Proxy servers F
E Administer Web Application Proxy configuration F
Recovery Manager for AD
E Administer RMAD server F
E Administer RMAD application F
E Administer backups F
E Generate report F
E Perform restores F

17
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

System Center Configuration Manager

E Administer SCCM servers F
E Administer SCCM permissions F
E Administer SCCM client settings F R R R R
E Administer SCCM collections at MITSC level F M
E Administer SCCM collections at BPS level * * M
E Administer SCCM roles F R R R R
E Administer Microsoft Update groups (WSUS) F R R R R
E Administer Electronic Software Delivery configurations F R R R R
Administer Operating System Deployment
E configurations F R R R R
E Administer and deploy configuration baselines F R R R R
E Administer and deploy Windows Defender settings F R R R R
E Administer and run reports within SSRS F R R R R
E Administer and run queries F
E Administer and run status messages F R R R R
System Center Operations Manager
E Administer SCOM servers F
E Administer SCOM application F
E Administer SCOM portal F
E Generate reports R R R R R
E Administer custom reports F
E Administer management packs F R R R R
System Center Orchestrator
E Administer SCORCH servers F
E Administer SCORCH application F
E Administer automation tasks F
System Center Service Manager
E Administer SCSM servers F
E Administer SCSM application F
E Administer SCSM portal F
E Run automation tasks F(g)
E Generate reports R R R R R
E Administer custom reports F
Server Builds
E Create or modify SHB F
E Create or modify VM templates from USMC SHB F
E Deploy VMs from template F
E Use USMC SHB to deploy physical servers R R R R R
E Create or modify SCCM OSD task sequences for server F R R R R
E Deploy SCCM OSD task sequences * R R R R

18
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Security Information and Event Management (SIEM)

Administer, manage, and maintain MCEN SIEM
E infrastructure F
E Create and maintain SIEM accounts F
E Create and maintain SIEM policies F
E Access SIEM dashboard F R R
E Create and administer custom views F R R
E Create alarms F
E Patch and update SIEM servers F
SQL
E Administer enterprise SQL servers F
E Administer enterprise-provided SQL databases F
Storage
E Administration of Command Share at MITSC Level F F
E Administration of Command Share at B/S Level F * F
E Administration of Command Share at the TS/C Level F * * F
E Administration of enterprise storage F
Symantec Protection Engine
E Administer, manage, and maintain MCEN SPE servers F
E Create and maintain MCEN SPE accounts F
E Administer permissions for MCEN SPE accounts F
E Create and maintain MCEN SPE policies F
E Patch and update SIEM servers F
Tanium
E Administer Tanium Servers and Services F
E Patch and Update Tanium servers and application F
E Access Tanium Console F R
Utility
E Administer utility servers F
E Administer source script / RDS licensing servers F R R R R
E Administer roles and features on utility servers F R R R R
E Administer applications on utility servers F R R R R
E Administer IPSec settings on utility servers F

19
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Virtual Desktop Infrastructure

E Administer root domain controllers F R R R R
E Administer child domain controllers F R R R R
E Administer organizational units F R R R R
E Administer leaf objects at MITSC level (d) * F(a) R R R
E Administer leaf objects at B/S level (e) F R R R R
E Administer leaf objects at T/SC level F R R R R
E Administer leaf objects at POR level F R R R R
E Administer leaf objects at MITSC level under POR * F(a) R R *
E Administer group policy objects F R R R R
E Administer group policy links and link order F R R R R
E Administer forest FSMO roles F R R R R
E Administer domain FSMO roles F R R R R
E Administer AD Integrated DNS Zones F R R R R
E Administer service accounts F R R R R
E Administer AD Physical Components (c) F R R R R
E Administer AD Schema F R R R R
E Administer forest and domain trusts F R R R R
E Administer USMC Enterprise Servers leaf objects F R R R R
E Administer USMC Enterprise Administration leaf objects F R R R R
E Patch and update domain controllers F R R R R
Virtual Server Infrastructure
E Administer virtual servers at MITSC Level F W(h)
E Administer virtual servers at B/S Level F W(h)
E Administer virtual servers at the TS/C Level F W(h)
E Administer virtual servers at the POR Level F W(h)
E Administer enterprise virtual infrastructure F

20
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Appendix B. MCEN Active Directory OU Structure

This Appendix provides a screenshot of the logical OU structure of MCDSUS AD domain. It does not
contain all the OUs that exist in real time. The current AD structure can be viewed using the Active
Directory Users and Computers application.

21
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Appendix C. Windows Credential Theft Use Cases

Windows Credential Theft use cases and administrative operations and considerations are further
defined within Utility Server Design, D401. 253-20140501, Version 1.0 dtd 17 Nov 2016. The following
scenarios outline administrative use cases to mitigate Windows Credential Theft.

Scenario 1, Workstation Administration:

Figure 1: Workstation Administration

22
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Scenario 2, Server Administration:

Figure 2: Server Administration

23
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Scenario 3, Domain Controller Administration:

Figure 3: Domain Controller Administration

24
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Scenario 4, DMZ Server Administration:

Figure 4: DMZ Server Administration

25
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Appendix D. Active Directory OU Modification Process

New OUs should only be introduced to effect a change in administrative delegation or GPO
implementation:
• Administrative delegation (New Tenants or Tenants that have moved to other locations and are
now managed by other regions): Manage user accounts and group account objects.

• GPO implementation (POR OUs): Allows for efficient deployment of GPO settings to
only the users and computers that need the settings.

Modifications to the AD structure may be requested through MCCOG’s Request Fulfillment Process and
by requesting and amending the LF 320 spreadsheet then adding to the Remedy work order request.

Below is an example of the LF320 form/spreadsheet that shall be requested from MCCOG via Remedy

26
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Work Order, edited, and added back to the Work Order for additional routing and coordination. The
requesting region or command shall request the LF320 for their specific region (for example: MITSC East,
West, PoR)

27
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Appendix F. Group Policy Objects Modification/Request Process

The below workflow identifies the process by which to request modifications to security settings/GPOs.
The GPO request form is added as a .pdf file below but may also be requested from the MCCOG.

GPO REQUEST
FORM.pdf

28
 FOR OFFICIAL USE ONLY

IRM 5231-01: Enterprise Service Roles, Responsibilities, and Permissions Guide

Appendix G. References

A. Deployable MCEN Concept of Employment version 2.2.0 dtd 14 Nov 2017

B. Deployable MCEN Technical Implementation Guide
C. Enterprise Cybersecurity Manual 007: Resource Access Guide Version 3.0 (update in review via
DON Tracker)
D. Enterprise Cybersecurity Manual 020: Marine Corps Information Assurance Vulnerability
Management Program Version 1.0 dtd 31 Dec 2013
E. General Records Schedule 6.1: Email Managed under a Capstone Approach, Transmittal No. 26
dtd Sept 2016
F. HQMC C4 Program of Record Cybersecurity Playbook (draft)
G. IRM 2300-14: Enterprise Information Technology Service Management Identity and Access
Management Process Guide
H. Marine Corps Bulletin 3100: Operations And Defense of the Marine Corps Enterprise Network
dtd 14 Jul 2017
I. Marine Corps Enterprise Secret Internet Protocol Router Network Concept of Employment,
Version 4.3 dtd 05 Apr 2010
J. Marine Corps Order 5239.2B: Marine Corps Cybersecurity dtd 05 Nov 2015
K. Marine Corps Strategy for Assured Command and Control dtd March 2017
L. MCEN Naming Standard for Application and Systems, Version 2.5 dtd 20 Feb 2018
M. MCEN Service Catalog:
https://eris.mceits.usmc.mil/arsys/forms/ars/SRS%3AServiceRequestConsole
N. MCEN-N Jump Server Installation, D403.MCEN-N SYSLOG Server Installation, Version 1.0 dtd 14
Apr 2016
O. Request Fulfillment Standard Operating Procedures, MCCOG SOP D03-558 dtd 30 May 2017
P. Utility Server Design, D401. 253-20140501, Version 1.0 dtd 17 Nov 2016

29