UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

File share permissions must be configured to remove the Everyone group.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3245 2.015 SV-29213r2_rule Medium
Description
By default, the Everyone group is given full control to new file shares. When a share is created, permissions should be reconfigured to give the minimum access to those accounts that require it.
STIG Date
Windows 2008 Domain Controller Security Technical Implementation Guide 2016-05-12

Details

Check Text ( C-29879r3_chk )
Run the Computer Management Applet.
Expand the “System Tools” object in the Tree window.
Expand the “Shared Folders” object.
Select the “Shares” object.
Right click any user-created shares (ignore “Netlogon”, “Sysvol” and administrative shares; the system will prompt you if Properties are selected for administrative shares).
Select Properties.
Select the Share Permissions tab.

If user-created file shares have not been reconfigured to remove ACL permissions from the “Everyone group”, then this is a finding.

Note: Right clicking on “Computer” on the desktop or from the menu and selecting “Manage” will open Server Manager in Windows 2008, not Computer Management as in previous Windows versions.

Note: On Application Servers, if regular users have write or delete permissions to shares containing application binary files (i.e. .exe, .dll, .cmd, etc.) this is a finding.

Documentable: If shares created by applications require the "Everyone" group, this should be documented with the IAO.
Fix Text (F-59r1_fix)
Remove permissions from the Everyone group from locally-created file shares and assign them to authorized groups.