Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8316 | DS00.0120_2003 | SV-15601r3_rule | ECAN-1 ECCD-1 ECCD-2 | High |
Description |
---|
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2012-07-02 |
Check Text ( C-40772r1_chk ) |
---|
I. AD Database, Log, and Work Files 1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NTDS\Parameters. 2. Note the values for: -- DSA Database file -- Database log files path -- DSA Working Directory. 3. Navigate to the directory locations using Windows Explorer. 4. Verify the ACLs of the AD database, log, and work files with the following: AD Database, Log, and Work Files Permissions: ...\ntds.dit :Administrators, SYSTEM : Full Control (F) ...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F) ...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F) [Note: The directory in which these files reside (usually ...\NTDS) may have permissions defined for CREATOR OWNER and Local Service, but these permissions apply at the directory level only, not to the individual files identified here.] 5. If the permissions are not at least as restrictive as required, then this is a finding. |
Fix Text (F-7973r1_fix) |
---|
Ensure the access control permissions on the AD database, log, and work files are set as follows: ...\ntds.dit :Administrators, SYSTEM : Full Control (F) ...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F) ...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F) |