The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
WN12-AD-000004-DC	WN12-AD-000004-DC	WN12-AD-000004-DC_rule		High

Description
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For Active Directory (AD), the Organizational Unit (OU) objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a Denial of Service to authorized users.

Description

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For Active Directory (AD), the Organizational Unit (OU) objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a Denial of Service to authorized users.

STIG	Date
Microsoft Windows Server 2012 Domain Controller Security Technical Implementation Guide	2013-07-25

Details

Check Text ( C-WN12-AD-000004-DC_chk )
Verifying the permissions on Domain Controllers OU. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Ensure Advanced Features is selected in the View menu. Navigate to the Domain Controllers OU (folder in folder icon). Right click the OU and select Properties. Select the Security tab. If the permissions on the Domain Controllers OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Special permissions If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the IAO.

Check Text ( C-WN12-AD-000004-DC_chk )

Verifying the permissions on Domain Controllers OU.

Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Ensure Advanced Features is selected in the View menu.
Navigate to the Domain Controllers OU (folder in folder icon).
Right click the OU and select Properties.
Select the Security tab.

If the permissions on the Domain Controllers OU are not at least as restrictive as those below, this is a finding.

The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button.

SELF - Special permissions

Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

SYSTEM - Full Control

Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Enterprise Admins - Full Control

Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

ENTERPRISE DOMAIN CONTROLLERS - Special permissions

If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the IAO.

Fix Text (F-WN12-AD-000004-DC_fix)
Ensure the permissions on the Domain Controllers OU are at least as restrictive as the defaults below. Document any additional permissions above read with the IAO if an approved distributed administration model (help desk or other user support staff) is implemented. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Special permissions

Fix Text (F-WN12-AD-000004-DC_fix)

Ensure the permissions on the Domain Controllers OU are at least as restrictive as the defaults below.

Document any additional permissions above read with the IAO if an approved distributed administration model (help desk or other user support staff) is implemented.

SELF - Special permissions

Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

SYSTEM - Full Control

Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Enterprise Admins - Full Control

Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

ENTERPRISE DOMAIN CONTROLLERS - Special permissions