Access control permissions on the GPT directory files must comply with the required guidance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27119	DS00.0122_2003	SV-34425r1_rule	ECAN-1 ECCD-1 ECCD-2	High

Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. For AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.

STIG	Date
Active Directory Service 2003 Security Technical Implementation Guide (STIG)	2011-05-20

Details

Check Text ( C-32093r1_chk )
1. At a command line prompt enter “net share”. 2. Note the location for the SYSVOL share. 3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT directories (GPT parent and GPT Policies directories) to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Check Text ( C-32093r1_chk )

1. At a command line prompt enter “net share”.

2. Note the location for the SYSVOL share.

3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT *directories* (GPT parent and GPT Policies directories) to the specifications below.

4. If the permissions are not at least as restrictive as those below, then this is a finding.

GPT Parent (SYSVOL) and GPT Policies Directories Permissions:
...\SYSVOL
:Administrators, SYSTEM : Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only

...\SYSVOL\[domain]\Policies
: Administrators, SYSTEM :Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only
:Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Fix Text (F-7973r3_fix)
Ensure the access control permissions on the AD database, log, and work files are set as follows: ...\ntds.dit :Administrators, SYSTEM : Full Control (F) ...\edb.log, ...\res.log :Administrators, SYSTEM : Full Control (F) ...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)