Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-12780 | DS00.0210_AD | SV-13345r1_rule | ECAN-1 ECCD-1 ECCD-2 ECLP-1 | High |
Description |
---|
A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale. |
STIG | Date |
---|---|
Windows 2008 Domain Controller Security Technical Implementation Guide | 2013-03-14 |
Check Text ( C-7745r1_chk ) |
---|
1. Start the Security Configuration and Analysis tool. 2. Select and expand the “Security Configuration and Analysis” item in the left pane. 3. Select and expand the “Local Policies” item in the left pane. 4. Select the “User Rights Assignment” item in the left pane. 5. Scroll down to the “Synchronize Directory Service Data Right” item in the right pane. 6. Note the values indicated in the Computer Setting column. 7. If any accounts (including groups) are assigned the Synchronize Directory Service Data Right, then this is a finding. |
Fix Text (F-12301r1_fix) |
---|
If any accounts (including groups) are assigned the Synchronize Directory Service Data Right, then remove this right from the account. |