UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Access Control permissions on the FRS Directory data files must have proper access permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27109 DS00.0121_2008 SV-34410r1_rule Medium
Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
STIG Date
Windows 2008 Domain Controller Security Technical Implementation Guide 2013-10-01

Details

Check Text ( C-13250r1_chk )
- With the assistance of the SA or application SA, determine the names and locations of directory server database, log, and work files.
- Using the locations determined, compare the ACLs or permission bits of the files (or directories if appropriate) to the specifications below.
- If the actual permissions are not at least as restrictive as those below, then this is a Finding.

Windows Permissions:
Administrators, CREATOR OWNER, SYSTEM : Full Control (F)
[Directory server owner account\group] : Full Control (F)
[Directory server execution account\group] : Full Control (F)
[Other directory server group] : Read & Execute (R)
[IAO-approved users \ user groups] : Read & Execute (R)

UNIX Permissions:
root : Read\Write\Exec (7)
[Directory server owner account\group] : Read\Write\Exec (7)
[Directory server execution account\group] : Read\Write\Exec (7)
[Other directory server group] : Read\Exec (5)
[IAO-approved users \ user groups] : Read\Exec (5)

*Note* - As far as possible, no (0) access is to be defined for the group and\or other permissions on UNIX directories or files containing sensitive data and directory backup files.
Fix Text (F-14374r1_fix)
- Change the access control permissions on the directory data files to conform to the following guidance :

Windows Permissions:
Administrators, CREATOR OWNER, SYSTEM : Full Control (F)
[Directory server owner account\group] : Full Control (F)
[Directory server execution account\group] : Full Control (F)
[Other directory server group] : Read & Execute (R)
[IAO-approved users \ user groups] : Read & Execute (R)

UNIX Permissions:
root : Read\Write\Exec (7)
[Directory server owner account\group] : Read\Write\Exec (7)
[Directory server execution account\group] : Read\Write\Exec (7)
[Other directory server group] : Read\Exec (5)
[IAO-approved users \ user groups] : Read\Exec (5)

*Note* - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files.