The access control permissions for the Domain and OU group policy must be configured to use the required access permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-29540	DS00.0131_AD	SV-39026r1_rule	ECAN-1 ECCD-1 ECCD-2 ECLP-1	High

Description
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For AD, the Group Policy and OU objects require special attention. In a distributed administration model (i.e., help desk). Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.

Description

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For AD, the Group Policy and OU objects require special attention. In a distributed administration model (i.e., help desk). Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.

STIG	Date
Windows 2003 Domain Controller Security Technical Implementation Guide	2012-07-02

Details

Check Text ( C-32094r1_chk )
Verifying Group Policy Object Procedures - Domain & OU Policies 1. Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). 2. Ensure that the Advanced Features item on the View menu is enabled. 3. Select the left pane item that matches the name of the domain being reviewed. 4. Right-click the domain name and select the Properties item. 5. On the domain Properties window, click the Group Policy tab. 6. For each Group Policy Object Link: a. Select the Group Policy Object Link item. b. Select the Properties button. c. On the domain Group Policy Properties window, select the Security tab. d. Compare the ACL of each domain Group Policy to the specifications for Group Policy Objects below. 7. If the actual permissions for any domain Group Policy object are not at least as restrictive as those below, then this is a finding. Note: Each domain has at least one domain Group Policy. This will be the Default Domain Policy. 8. Return to the initial console view of the Active Directory Users and Computers console. 9. For each OU that is defined (folder in folder icon): 10. Right-click the OU and select the Properties item. 11. On the OU Properties window, select the Group Policy tab. 12. For each Group Policy Object Link: a. Select the Group Policy Object Link item. b. Select the Properties button. c. On the OU Group Policy Properties window, select the Security tab. d. Compare the ACL of each OU Group Policy to the specifications for Group Policy Objects below. 13. If the actual permissions for any OU Group Policy object are not at least as restrictive as those below, then this is a finding. Note: Each domain has at least one OU that has a Group Policy. This will be the Domain Controllers OU. Group Policy Object Permissions: [Group Policy - e.g., Default Domain] :Administrators, SYSTEM :Full Control (F) :CREATOR OWNER :Full Control (F) :ENTERPRISE DOMAIN CONTROLLERS* :Read :Authenticated Users :Read, Apply Group Policy :[IAO-approved users \ user groups] :Read, Apply Group Policy Supplemental Notes: - Groups containing authenticated users (such as the Authenticated Users group), other locally created user groups, and individual users may have the Read and Apply Group Policy permissions set to Allow or Deny. - The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO. - Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO. - The permissions for the account names with an asterisk are only needed for Windows Server 2003.

Check Text ( C-32094r1_chk )

Verifying Group Policy Object Procedures - Domain & OU Policies

1. Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”).

2. Ensure that the Advanced Features item on the View menu is enabled.

3. Select the left pane item that matches the name of the domain being reviewed.

4. Right-click the domain name and select the Properties item.

5. On the domain Properties window, click the Group Policy tab.

6. For *each* Group Policy Object Link:
a. Select the Group Policy Object Link item.
b. Select the Properties button.
c. On the domain Group Policy Properties window, select the Security tab.
d. Compare the ACL of each domain Group Policy to the specifications for Group Policy Objects below.

7. If the actual permissions for any domain Group Policy object are not at least as restrictive as those below, then this is a finding.

Note: Each domain has at least one domain Group Policy. This will be the Default Domain Policy.

8. Return to the initial console view of the Active Directory Users and Computers console.

9. For each OU that is defined (folder in folder icon):

10. Right-click the OU and select the Properties item.

11. On the OU Properties window, select the Group Policy tab.

12. For *each* Group Policy Object Link:
a. Select the Group Policy Object Link item.
b. Select the Properties button.
c. On the OU Group Policy Properties window, select the Security tab.
d. Compare the ACL of each OU Group Policy to the specifications for Group Policy Objects below.

13. If the actual permissions for any OU Group Policy object are not at least as restrictive as those below, then this is a finding.

Note: Each domain has at least one OU that has a Group Policy. This will be the Domain Controllers OU.

Group Policy Object Permissions:
[Group Policy - e.g., Default Domain]
:Administrators, SYSTEM :Full Control (F)
:CREATOR OWNER :Full Control (F)
:ENTERPRISE DOMAIN CONTROLLERS* :Read
:Authenticated Users :Read,
Apply Group Policy
:[IAO-approved users \ user groups] :Read,
Apply Group Policy

Supplemental Notes:
- Groups containing authenticated users (such as the Authenticated Users group), other locally created user groups, and individual users *may* have the Read and Apply Group Policy permissions set to Allow or Deny.

- The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO.

- Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO.

- The permissions for the account names with an asterisk are only needed for Windows Server 2003.

Fix Text (F-28490r1_fix)
Change the access control permissions for the indicated AD objects to conform to the required guidance.