The access control permissions for the OU objects must be configured to use the required access permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-29546	DS00.0132_AD	SV-39037r1_rule	ECAN-1 ECCD-1 ECCD-2 ECLP-1	High

Description
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For AD, the Group Policy and OU objects require special attention. In a distributed administration model (i.e., help desk). Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.

Description

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For AD, the Group Policy and OU objects require special attention. In a distributed administration model (i.e., help desk). Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.

STIG	Date
Windows 2008 Domain Controller Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-38038r1_chk )
Verifying the Organizational Unit object. 1. Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). Ensure that the Advanced Features item on the View menu is enabled. 2. For each OU that is defined (folder in folder icon): 3. Right-click the OU and select the Properties item. 4. On the OU Properties window, select the Security tab. 5. Compare the ACL of the OU to the specifications for Organizational Unit Objects below. 6. If the actual permissions for any OU object are not at least as restrictive as those below, then this is a finding. Organizational Unit (OU) Object Permissions: [OU - e.g., Domain Controllers] :Administrators, SYSTEM :Full Control (F) :CREATOR OWNER :Full Control (F) :ENTERPRISE DOMAIN CONTROLLERS* :Read :Authenticated Users :Read :[IAO-approved users \ user groups] :Read Supplementary Notes: If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the IAO.

Check Text ( C-38038r1_chk )

Verifying the Organizational Unit object. 1. Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). Ensure that the Advanced Features item on the View menu is enabled. 2. For each OU that is defined (folder in folder icon): 3. Right-click the OU and select the Properties item. 4. On the OU Properties window, select the Security tab. 5. Compare the ACL of the OU to the specifications for Organizational Unit Objects below. 6. If the actual permissions for any OU object are not at least as restrictive as those below, then this is a finding. Organizational Unit (OU) Object Permissions: [OU - e.g., Domain Controllers] :Administrators, SYSTEM :Full Control (F) :CREATOR OWNER :Full Control (F) :ENTERPRISE DOMAIN CONTROLLERS* :Read :Authenticated Users :Read :[IAO-approved users \ user groups] :Read Supplementary Notes: If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the IAO.

Fix Text (F-33286r1_fix)
Change the access control permissions for the indicated AD objects to conform to the required guidance.