Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-27119 | DS00.0122_2008 | SV-39858r1_rule | ECAN-1 ECCD-1 ECCD-2 | High |
Description |
---|
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. For AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions. |
STIG | Date |
---|---|
Windows 2008 Domain Controller Security Technical Implementation Guide | 2013-07-03 |
Check Text ( C-32093r1_chk ) |
---|
1. At a command line prompt enter “net share”. 2. Note the location for the SYSVOL share. 3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT *directories* (GPT parent and GPT Policies directories) to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write |
Fix Text (F-34003r1_fix) |
---|
Set the permissions as follows: GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write |