The access control permissions for Active Directory Group Policy Objects must be configured to use the required access permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33673	DS00.0133_2008	SV-44096r1_rule	ECAN-1 ECCD-1 ECCD-2 ECLP-1	High

Description
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. For Active Directory (AD), the Group Policy and Organizational Units (OU) objects require special attention. In a distributed administration model (i.e., help desk). Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a Denial of Service to authorized users.

Description

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. For Active Directory (AD), the Group Policy and Organizational Units (OU) objects require special attention. In a distributed administration model (i.e., help desk). Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a Denial of Service to authorized users.

STIG	Date
Windows 2008 Domain Controller Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-41823r1_chk )
Verifying Group Policy Object Procedures: 1. Start the Group Policy Management console (“Start”, “Run…”, “gpmc.msc”). 2. Select and expand the Forest item in the left pane. 3. Select and expand the Group Policy Objects item in the left pane. 4. For each Group Policy Object: a. Select the Group Policy Object Link item in the left pane. b. Select the Delegation tab. c. Select the “Advanced…” button. d. Compare the ACL of each site Group Policy to the specifications for Group Policy Objects below. Group Policy Object Permissions: [Group Policy - e.g., Default Domain] :Administrators, SYSTEM :Full Control (F) :CREATOR OWNER :Full Control (F) :ENTERPRISE DOMAIN CONTROLLERS* :Read :Authenticated Users :Read, Apply Group Policy :[IAO-approved users\groups] :Read, Apply Group Policy 5. If the actual permissions for any Group Policy object are not at least as restrictive as those above, then this is a finding. Supplemental Note: 1. Groups containing authenticated users (such as the Authenticated Users group), other locally created user groups, and individual users may have the Read and Apply Group Policy permissions set to Allow or Deny. 2. The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO. 3. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO.

Check Text ( C-41823r1_chk )

Verifying Group Policy Object Procedures:

1. Start the Group Policy Management console (“Start”, “Run…”, “gpmc.msc”).

2. Select and expand the Forest item in the left pane.

3. Select and expand the Group Policy Objects item in the left pane.

4. For *each* Group Policy Object:
a. Select the Group Policy Object Link item in the left pane.
b. Select the Delegation tab.
c. Select the “Advanced…” button.
d. Compare the ACL of each site Group Policy to the specifications for Group Policy Objects below.

Group Policy Object Permissions:
[Group Policy - e.g., Default Domain]
:Administrators, SYSTEM :Full Control (F)
:CREATOR OWNER :Full Control (F)
:ENTERPRISE DOMAIN CONTROLLERS* :Read
:Authenticated Users :Read, Apply Group Policy
:[IAO-approved users\groups] :Read, Apply Group Policy

5. If the actual permissions for any Group Policy object are not at least as restrictive as those above, then this is a finding.

Supplemental Note:

1. Groups containing authenticated users (such as the Authenticated Users group), other locally created user groups, and individual users may have the Read and Apply Group Policy permissions set to Allow or Deny.

2. The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO.

3. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO.

Fix Text (F-37566r1_fix)
Change the access control permissions for the indicated Group Policy Objects to conform to the required guidance.