Access Control permissions on the FRS Directory data files do not have proper access permissions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-27109 | DS00.0121_2003 | SV-34409r1_rule | Medium |
| Description |
|---|
| Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. |
| STIG | Date |
|---|---|
| Active Directory Service 2003 Security Technical Implementation Guide (STIG) | 2011-05-20 |
Details
| Check Text ( C-32092r1_chk ) |
|---|
| 1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters. 2. Note the value for: Working Directory. 3. Checking the noted location in Windows Explorer, compare the ACLs of the FRS *directory* to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. FRS Directory Permissions: ...\Ntfrs :Administrators, SYSTEM : Full Control (F) |
| Fix Text (F-14374r1_fix) |
|---|
| - Change the access control permissions on the directory data files to conform to the following guidance : Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) *Note* - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files. |