Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3245 | 2.015 | SV-29213r2_rule | Medium |
Description |
---|
By default, the Everyone group is given full control to new file shares. When a share is created, permissions should be reconfigured to give the minimum access to those accounts that require it. |
STIG | Date |
---|---|
Windows 2008 Domain Controller Security Technical Implementation Guide | 2017-03-02 |
Check Text ( C-29879r3_chk ) |
---|
Run the Computer Management Applet. Expand the “System Tools” object in the Tree window. Expand the “Shared Folders” object. Select the “Shares” object. Right click any user-created shares (ignore “Netlogon”, “Sysvol” and administrative shares; the system will prompt you if Properties are selected for administrative shares). Select Properties. Select the Share Permissions tab. If user-created file shares have not been reconfigured to remove ACL permissions from the “Everyone group”, then this is a finding. Note: Right clicking on “Computer” on the desktop or from the menu and selecting “Manage” will open Server Manager in Windows 2008, not Computer Management as in previous Windows versions. Note: On Application Servers, if regular users have write or delete permissions to shares containing application binary files (i.e. .exe, .dll, .cmd, etc.) this is a finding. Documentable: If shares created by applications require the "Everyone" group, this should be documented with the IAO. |
Fix Text (F-59r1_fix) |
---|
Remove permissions from the Everyone group from locally-created file shares and assign them to authorized groups. |