UCF STIG Viewer Logo

Active Directory Group Policy objects must have proper access control permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
WN12-AD-000003-DC WN12-AD-000003-DC WN12-AD-000003-DC_rule High
Description
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. For Active Directory (AD), the Group Policy objects require special attention. In a distributed administration model (i.e., help desk), Group Policy objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).
STIG Date
Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide 2013-07-25

Details

Check Text ( C-WN12-AD-000003-DC_chk )
Verify the permissions on Group Policy objects.

Open "Group Policy Management". (Available from various menus or run "gmpc.msc".)
Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain).

For each Group Policy object:
Select the Group Policy object item in the left pane.
Select the Delegation tab in the right pane.
Select the Advanced button.

If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. The default permissions noted below meet this requirement.

Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO.

The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button.

CREATOR OWNER - Special permissions

Authenticated Users - Read, Apply group policy, Special permissions

The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions

Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions

Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions

ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO.
Fix Text (F-WN12-AD-000003-DC_fix)
Ensure the permissions on Group Policy objects do not allow greater than Read and Apply group policy for standard user accounts our groups. The defaults below meet this requirement.

CREATOR OWNER - Special permissions

Authenticated Users - Read, Apply group policy, Special permissions
The Special permissions for Authenticated Users are for Read type Properties.

SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions

Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions

Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions

ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

Document any other access permissions that allow the objects to be updated with the IAO.