Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
WN12-00-000009 | WN12-00-000009 | WN12-00-000009_rule | Medium |
Description |
---|
Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties. |
STIG | Date |
---|---|
Microsoft Windows Server 2012 Member Server Security Technical Implementation Guide | 2013-07-25 |
Check Text ( C-WN12-00-000009_chk ) |
---|
Review the Backup Operators group in Computer Management or Active Directory Users and Computers. If the group contains any accounts, including application accounts, this must be documented with the IAO. Any accounts that are members of the Backup Operators group must be documented, including application accounts. Users with accounts in the Backup Operators group must have a separate user account for backup functions and for performing normal user tasks. If the group contains no accounts, this is not a finding. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. |
Fix Text (F-WN12-00-000009_fix) |
---|
Ensure that each member of the Backup Operators group has separate accounts for backup functions and standard user functions. Create the necessary documentation that identifies the members of the Backup Operators group. |