An error occurred:

Check: DS00.0122_2003

Windows 2003 DC STIG: DS00.0122_2003 (in version v6 r37)

Title

Access control permissions on the GPT directory files must comply with the required guidance. (Cat I impact)

Discussion

Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. For AD this data includes identification, authentication, and authorization data. A compromise of this data could have grave consequences to a large number of hosts throughout the AD forest that utilize the directory server data to make access control decisions.

Check Content

1. At a command line prompt enter “net share”. 2. Note the location for the SYSVOL share. 3. Checking the noted location in Windows Explorer, compare the ACLs of the GPT *directories* (GPT parent and GPT Policies directories) to the specifications below. 4. If the permissions are not at least as restrictive as those below, then this is a finding. GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Fix Text

Set the permissions as follows: GPT Parent (SYSVOL) and GPT Policies Directories Permissions: ...\SYSVOL :Administrators, SYSTEM : Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only ...\SYSVOL\[domain]\Policies : Administrators, SYSTEM :Full Control (F) :Authenticated Users, Server Operators: Read, Read & Execute, List Folder Contents :CREATOR OWNER : Full Control (F) - - Subfolders and files only :Group Policy Creator Owners: : Read, Read & Execute, List Folder Contents, Modify, Write

Additional Identifiers

Rule ID: SV-34425r2_rule

Vulnerability ID: V-27119

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002235

Prevent non-privileged users from executing privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6(10)

Prohibit Non-privileged Users from Executing Privileged Functions