The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-39332 | WN12-AD-000004-DC | SV-51178r3_rule | ECCD-1 ECCD-2 ECLP-1 | High |
| Description |
|---|
| When Active Directory (AD) objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain. Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes which could lead to the compromise of the domain. |
| STIG | Date |
|---|---|
| Windows Server 2012 / 2012 R2 Domain Controller Security Technical Implementation Guide | 2016-12-19 |
Details
| Check Text ( C-49409r2_chk ) |
|---|
| Verify the permissions on the Domain Controllers OU. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Select Advanced Features in the View menu if not previously selected. Navigate to the Domain Controllers OU (folder in folder icon). Right click the OU and select Properties. Select the Security tab. If the permissions on the Domain Controllers OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions |
| Fix Text (F-49481r1_fix) |
|---|
| Maintain the permissions on the Domain Controllers OU to be at least as restrictive as the defaults below. SELF - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions |