UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Access Control permissions on the FRS Directory data files must have proper access permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27109 DS00.0121_2003 SV-34409r1_rule Medium
Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
STIG Date
Windows 2003 Domain Controller Security Technical Implementation Guide 2014-01-07

Details

Check Text ( C-32092r1_chk )
1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NtFrs\Parameters.

2. Note the value for: Working Directory.

3. Checking the noted location in Windows Explorer, compare the ACLs of the FRS *directory* to the specifications below.

4. If the permissions are not at least as restrictive as those below, then this is a finding.

FRS Directory Permissions:
...\Ntfrs :Administrators, SYSTEM : Full Control (F)
Fix Text (F-14374r1_fix)
- Change the access control permissions on the directory data files to conform to the following guidance :

Windows Permissions:
Administrators, CREATOR OWNER, SYSTEM : Full Control (F)
[Directory server owner account\group] : Full Control (F)
[Directory server execution account\group] : Full Control (F)
[Other directory server group] : Read & Execute (R)
[IAO-approved users \ user groups] : Read & Execute (R)

UNIX Permissions:
root : Read\Write\Exec (7)
[Directory server owner account\group] : Read\Write\Exec (7)
[Directory server execution account\group] : Read\Write\Exec (7)
[Other directory server group] : Read\Exec (5)
[IAO-approved users \ user groups] : Read\Exec (5)

*Note* - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files.