UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Access control permissions on the GPT directory files must comply with the required guidance.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27119 DS00.0122_2008 SV-39858r1_rule ECAN-1 ECCD-1 ECCD-2 High
Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. For AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.
STIG Date
Windows 2008 Domain Controller Security Technical Implementation Guide 2013-07-03

Details

Check Text ( C-32093r1_chk )
1. At a command line prompt enter “net share”.

2. Note the location for the SYSVOL share.

3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT *directories* (GPT parent and GPT Policies directories) to the specifications below.

4. If the permissions are not at least as restrictive as those below, then this is a finding.

GPT Parent (SYSVOL) and GPT Policies Directories Permissions:
...\SYSVOL
:Administrators, SYSTEM : Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only

...\SYSVOL\[domain]\Policies
: Administrators, SYSTEM :Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only
:Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write
Fix Text (F-34003r1_fix)
Set the permissions as follows:

GPT Parent (SYSVOL) and GPT Policies Directories Permissions:
...\SYSVOL
:Administrators, SYSTEM : Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only

...\SYSVOL\[domain]\Policies
: Administrators, SYSTEM :Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only
:Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write