UCF STIG Viewer Logo

Directory server directories and files must be configured with required permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8320 DS00.1150_AD SV-31549r1_rule DCSL-1 Medium
Description
Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way a directory server operates. This could lead to a compromise of the confidentiality, availability, and integrity of directory data. Some administration tool packages (such as the Windows Support Tools) include programs designed to perform updates on directory configuration and database data. Even though the directory data should be protected through file and object access permissions, allowing unauthorized access to administrative programs provides a potential attacker with tools that are already installed in the environment.
STIG Date
Active Directory Service 2003 Security Technical Implementation Guide (STIG) 2011-05-20

Details

Check Text ( C-14106r2_chk )
This check examines only the Windows Support Tools. If none of the tools are installed, then this check is not applicable.

1. Start Windows Explorer.

2. Right-click the “My Computer” item and select “Search…”

3. Type “Support" in the file name field.

4. Select “Local Hard Drives” in the “Look in:” field.

5. Click the Search [or Search Now] button.

6. Record the location for the “Support Tools” directory. The SA may have installed the Support Tools under an alternate name. If the default directory is not found, ask the SA.

7. If the directory is not found and the SA confirms that the Support Tools are not installed, then this check is not applicable.

8. Using the recorded location, compare the current ACL of the Support Tools directory to the following:

Windows Support Tools Permissions:
...\Support Tools :Administrators, SYSTEM :Full Control (F)
: [IAO-approved users \ user groups] :Read, Read & Execute, List Folder Contents

9. If the folder permissions are not at least as restrictive as required, then this is a finding.
Fix Text (F-28705r1_fix)
Configure the directory service as follows:

Windows Support Tools Permissions:
...\Support Tools :Administrators, SYSTEM :Full Control (F)
: [IAO-approved users \ user groups] :Read, Read & Execute, List Folder Contents