Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-27109 | DS00.0121_2003 | SV-34409r1_rule | Medium |
Description |
---|
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2013-10-01 |
Check Text ( C-32092r1_chk ) |
---|
1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters. 2. Note the value for: Working Directory. 3. Checking the noted location in Windows Explorer, compare the ACLs of the FRS *directory* to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. FRS Directory Permissions: ...\Ntfrs :Administrators, SYSTEM : Full Control (F) |
Fix Text (F-14374r1_fix) |
---|
- Change the access control permissions on the directory data files to conform to the following guidance : Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) *Note* - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files. |