UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Directory service data files must have proper access permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8316 DS00.0120_2008_R2 SV-38994r1_rule ECAN-1 ECCD-1 ECCD-2 High
Description
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
STIG Date
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide 2012-09-05

Details

Check Text ( C-37981r1_chk )
I. AD Database, Log, and Work Files
1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NTDS\Parameters.

2. Note the values for:
-- DSA Database file
-- Database log files path
-- DSA Working Directory.

3. Navigate to the directory locations using Windows Explorer.

4. Verify the ACLs of the AD database, log, and work files with the following:
AD Database, Log, and Work Files Permissions:
...\ntds.dit :Administrators, SYSTEM : Full Control (F)
...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F)
...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)

[Note: The directory in which these files reside (usually ...\NTDS) may have permissions defined for CREATOR OWNER and Local Service, but these permissions apply at the directory level only, not to the individual files identified here.]

5. If the permissions are not at least as restrictive as required, then this is a finding.
Fix Text (F-33220r1_fix)
Ensure the access control permissions on the AD database, log, and work files are set as follows:

...\ntds.dit :Administrators, SYSTEM : Full Control (F)
...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F)
...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)