UCF STIG Viewer Logo

Directory service data files do not have proper access permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8316 DS00.0120_2008 SV-34432r1_rule ECAN-1 ECCD-1 ECCD-2 High
Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
STIG Date
Active Directory Service 2008 Security Technical Implementation Guide (STIG) 2011-05-23

Details

Check Text ( C-7636r3_chk )
I. AD Database, Log, and Work Files
1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NTDS\Parameters.

2. Note the values for:
-- DSA Database file
-- Database log files path
-- DSA Working Directory.

3. Navigate to the directory locations using Windows Explorer.

4. Verify the ACLs of the AD database, log, and work files with the following:
AD Database, Log, and Work Files Permissions:
...\ntds.dit :Administrators, SYSTEM : Full Control (F)
...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F)
...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)

[Note: The directory in which these files reside (usually ...\NTDS) may have permissions defined for CREATOR OWNER and Local Service, but these permissions apply at the directory level only, not to the individual files identified here.]

5. If the permissions are not at least as restrictive as required, then this is a finding.
Fix Text (F-7973r3_fix)
Ensure the access control permissions on the AD database, log, and work files are set as follows:

...\ntds.dit :Administrators, SYSTEM : Full Control (F)
...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F)
...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)