Access Control permissions on the FRS Directory data files must have proper access permissions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27109	DS00.0121_2008_R2	SV-39018r1_rule		Medium

Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.

STIG	Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide	2012-09-05

Details

Check Text ( C-38014r1_chk )
With the assistance of the SA or application SA, determine the names and locations of directory server database, log, and work files. - Using the locations determined, compare the ACLs or permission bits of the files (or directories if appropriate) to the specifications below. - If the actual permissions are not at least as restrictive as those below, then this is a finding. Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) *Note: As far as possible, no (0) access is to be defined for the group and\or other permissions on UNIX directories or files containing sensitive data and directory backup files.

Check Text ( C-38014r1_chk )

With the assistance of the SA or application SA, determine the names and locations of directory server database, log, and work files.
- Using the locations determined, compare the ACLs or permission bits of the files (or directories if appropriate) to the specifications below.
- If the actual permissions are not at least as restrictive as those below, then this is a finding.

Windows Permissions:
Administrators, CREATOR OWNER, SYSTEM : Full Control (F)
[Directory server owner account\group] : Full Control (F)
[Directory server execution account\group] : Full Control (F)
[Other directory server group] : Read & Execute (R)
[IAO-approved users \ user groups] : Read & Execute (R)

UNIX Permissions:
root : Read\Write\Exec (7)
[Directory server owner account\group] : Read\Write\Exec (7)
[Directory server execution account\group] : Read\Write\Exec (7)
[Other directory server group] : Read\Exec (5)
[IAO-approved users \ user groups] : Read\Exec (5)

*Note: As far as possible, no (0) access is to be defined for the group and\or other permissions on UNIX directories or files containing sensitive data and directory backup files.

Fix Text (F-33253r1_fix)
Change the access control permissions on the directory data files to conform to the following guidance: Windows Permissions: Administrators, CREATOR OWNER, SYSTEM : Full Control (F) [Directory server owner account\group] : Full Control (F) [Directory server execution account\group] : Full Control (F) [Other directory server group] : Read & Execute (R) [IAO-approved users \ user groups] : Read & Execute (R) UNIX Permissions: root : Read\Write\Exec (7) [Directory server owner account\group] : Read\Write\Exec (7) [Directory server execution account\group] : Read\Write\Exec (7) [Other directory server group] : Read\Exec (5) [IAO-approved users \ user groups] : Read\Exec (5) *Note: As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files.

Fix Text (F-33253r1_fix)

Change the access control permissions on the directory data files to conform to the following guidance:

Windows Permissions:
Administrators, CREATOR OWNER, SYSTEM : Full Control (F)
[Directory server owner account\group] : Full Control (F)
[Directory server execution account\group] : Full Control (F)
[Other directory server group] : Read & Execute (R)
[IAO-approved users \ user groups] : Read & Execute (R)

UNIX Permissions:
root : Read\Write\Exec (7)
[Directory server owner account\group] : Read\Write\Exec (7)
[Directory server execution account\group] : Read\Write\Exec (7)
[Other directory server group] : Read\Exec (5)
[IAO-approved users \ user groups] : Read\Exec (5)

*Note: As far as possible, no (0) access is to be defined for the “group” and\or “other” permissions on UNIX directories or files containing sensitive data and directory backup files.