Access Control permissions on the FRS Directory data files must have proper access permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27109	DS00.0121_2003	SV-34409r1_rule		Medium

Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.

STIG	Date
Windows 2003 Domain Controller Security Technical Implementation Guide	2013-03-14

Details

Check Text ( C-32092r1_chk )
1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters. 2. Note the value for: Working Directory. 3. Checking the noted location in Windows Explorer, compare the ACLs of the FRS directory to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. FRS Directory Permissions: ...\Ntfrs :Administrators, SYSTEM : Full Control (F)

Check Text ( C-32092r1_chk )

1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters.

2. Note the value for: Working Directory.

3. Checking the noted location in Windows Explorer, compare the ACLs of the FRS *directory* to the specifications below.

4. If the permissions are not at least as restrictive as those below, then this is a finding.

FRS Directory Permissions:
...\Ntfrs :Administrators, SYSTEM : Full Control (F)

Fix Text (F-14374r1_fix)
- Change the access control permissions on the directory data files to conform to the following guidance : Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) Note - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files.

Fix Text (F-14374r1_fix)

- Change the access control permissions on the directory data files to conform to the following guidance :

Windows Permissions:
Administrators, CREATOR OWNER, SYSTEM : Full Control (F)
[Directory server owner account\group] : Full Control (F)
[Directory server execution account\group] : Full Control (F)
[Other directory server group] : Read & Execute (R)
[IAO-approved users \ user groups] : Read & Execute (R)

UNIX Permissions:
root : Read\Write\Exec (7)
[Directory server owner account\group] : Read\Write\Exec (7)
[Directory server execution account\group] : Read\Write\Exec (7)
[Other directory server group] : Read\Exec (5)
[IAO-approved users \ user groups] : Read\Exec (5)

*Note* - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files.