| I. AD Database, Log, and Work Files |
1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NTDS\Parameters.
2. Note the values for:
-- DSA Database file
-- Database log files path
-- DSA Working Directory.
3. Navigate to the directory locations using Windows Explorer.
4. Verify the ACLs of the AD database, log, and work files with the following:
AD Database, Log, and Work Files Permissions:
...\ntds.dit :Administrators, SYSTEM : Full Control (F)
...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F)
...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)
[Note: The directory in which these files reside (usually ...\NTDS) may have permissions defined for CREATOR OWNER and Local Service, but these permissions apply at the directory level only, not to the individual files identified here.]
5. If the permissions are not at least as restrictive as required, then this is a finding.