Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-8320 | DS00.1150_2008_R2 | SV-38997r1_rule | DCSL-1 | Medium |
Description |
---|
Improper access permissions for directory server program (executable) and configuration files could allow unauthorized and malicious users to read, modify, or delete those files and change the way a directory server operates. This could lead to a compromise of the confidentiality, availability, and integrity of directory data. Some administration tool packages (such as the Windows Support Tools) include programs designed to perform updates on directory configuration and database data. Even though the directory data should be protected through file and object access permissions, allowing unauthorized access to administrative programs provides a potential attacker with tools already installed in the environment. |
STIG | Date |
---|---|
Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide | 2012-09-05 |
Check Text ( C-37983r1_chk ) |
---|
This check examines only the Windows Support Tools. If none of the tools are installed, then this check is not applicable. 1. Start Windows Explorer. 2. Right-click the “My Computer” item and select “Search…” 3. Type “Support" in the file name field. 4. Select “Local Hard Drives” in the “Look in:” field. 5. Click the Search [or Search Now] button. 6. Record the location for the “Support Tools” directory. The SA may have installed the Support Tools under an alternate name. If the default directory is not found, ask the SA. 7. If the directory is not found and the SA confirms the Support Tools are not installed, then this check is not applicable. 8. Using the recorded location, compare the current ACL of the Support Tools directory to the following: Windows Support Tools Permissions: ...\Support Tools :Administrators, SYSTEM :Full Control (F) : [IAO-approved users \ user groups] :Read, Read & Execute, List Folder Contents 9. If the folder permissions are not at least as restrictive as required, then this is a finding. |
Fix Text (F-33228r1_fix) |
---|
Configure the directory service as follows: Windows Support Tools Permissions: ...\Support Tools :Administrators, SYSTEM :Full Control (F) : [IAO-approved users \ user groups] :Read, Read & Execute, List Folder Contents |