Access control permissions on the GPT directory files must comply with the required guidance.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27119	DS00.0122_2008	SV-39858r1_rule	ECAN-1 ECCD-1 ECCD-2	High

Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. For AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.

STIG	Date
Windows 2008 Domain Controller Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-32093r1_chk )
1. At a command line prompt enter “net share”. 2. Note the location for the SYSVOL share. 3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT directories (GPT parent and GPT Policies directories) to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Check Text ( C-32093r1_chk )

1. At a command line prompt enter “net share”.

2. Note the location for the SYSVOL share.

3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT *directories* (GPT parent and GPT Policies directories) to the specifications below.

4. If the permissions are not at least as restrictive as those below, then this is a finding.

GPT Parent (SYSVOL) and GPT Policies Directories Permissions:
...\SYSVOL
:Administrators, SYSTEM : Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only

...\SYSVOL\[domain]\Policies
: Administrators, SYSTEM :Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only
:Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Fix Text (F-34003r1_fix)
Set the permissions as follows: GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Fix Text (F-34003r1_fix)

Set the permissions as follows:

GPT Parent (SYSVOL) and GPT Policies Directories Permissions:
...\SYSVOL
:Administrators, SYSTEM : Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only

...\SYSVOL\[domain]\Policies
: Administrators, SYSTEM :Full Control (F)
:Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents
:CREATOR OWNER : Full Control (F) -
- Subfolders and files only
:Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write