Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-27109 | DS00.0121_2008 | SV-34410r1_rule | Medium |
Description |
---|
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. |
STIG | Date |
---|---|
Windows 2008 Domain Controller Security Technical Implementation Guide | 2013-10-01 |
Check Text ( C-13250r1_chk ) |
---|
- With the assistance of the SA or application SA, determine the names and locations of directory server database, log, and work files. - Using the locations determined, compare the ACLs or permission bits of the files (or directories if appropriate) to the specifications below. - If the actual permissions are not at least as restrictive as those below, then this is a Finding. Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) *Note* - As far as possible, no (0) access is to be defined for the group and\or other permissions on UNIX directories or files containing sensitive data and directory backup files. |
Fix Text (F-14374r1_fix) |
---|
- Change the access control permissions on the directory data files to conform to the following guidance : Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) *Note* - As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files. |