Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1130 | 2.006 | SV-25136r2_rule | Medium |
Description |
---|
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. |
STIG | Date |
---|---|
Windows 7 Security Technical Implementation Guide | 2017-05-16 |
Check Text ( C-62057r3_chk ) |
---|
The default ACL settings are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in Windows Explorer: Right click on the directory and select "Properties". Select the "Security" tab, and the "Advanced" button. C:\ Type - "Allow" for all Inherited from - " Name - Permission - Apply to Administrators - Full control - This folder, subfolders and files SYSTEM - Full control - This folder, subfolders and files Users - Read & execute - This folder, subfolders and files Authenticated Users - Special - Subfolders and files only (Special = all permissions except Full Control, Delete subfolders and files, Change permissions, and Take ownership when viewing permission details.) Authenticated Users - Create folders / append data - This folder only The Program Files, Program Files (x86), and Windows directories have the following default permissions: Type - "Allow" for all Inherited from - " Name - Permission - Apply to TrustedInstaller - Special - This folder and subfolders (Special = Full control when viewing permission details.) SYSTEM - Special - This folder only (Special = all permissions except Full Control, Delete subfolders and files, Change permissions, and Take ownership when viewing permission details.) SYSTEM - Special - Subfolders and files only (Special = Full control when viewing permission details.) Administrators - Special - This folder only (Special = all permissions except Full Control, Delete subfolders and files, Change permissions, and Take ownership when viewing permission details.) Administrators - Special - Subfolders and files only (Special = Full control when viewing permission details.) Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Special - Subfolders and files only (Special = Full control when viewing permission details.) Alternately use Icacls. In a Command prompt (admin) Enter icacls followed by the directory. icacls c:\ icacls "c:\program files" of "c:\program files (x86)" icacls c:\windows The following results will be displayed as each is entered: c:\ BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Users:(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) NT AUTHORITY\Authenticated Users:(AD) Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW) Successfully processed 1 files; Failed processing 0 files c:\program files, c:\program files (x86), and c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files If a permission setting prevents a site's applications from performing properly, settings must only be changed to the minimum necessary for the application to function. Each exception must be documented with the ISSO. |
Fix Text (F-66955r1_fix) |
---|
Maintain the default file ACLs and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). |