Title

The access control permissions for the directory service site group policy must be configured to use the required access permissions. (Cat I impact)

Discussion

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. For AD, the Group Policy and OU objects require special attention. In a distributed administration model (such as might be used with a help desk or other user support staff), Group Policy and OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, it could allow an intruder to change the security policy applied to all domain client computers (workstations and servers). If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.

Check Content

Verifying Group Policy Object Procedures - Site Policies: 1. Start the Active Directory Sites and Services console (“Start”, “Run…”, “dssite.msc”). 2. Select and expand the Sites item in the left pane. 3. For each AD site that is defined (building icon): a. Right-click the AD site and select the Properties item. b. On the site Properties window, select the Group Policy tab. c. For *each* Group Policy Object Link: d. Select the Group Policy Object Link item. e. Select the Properties button. f. On the site Group Policy Properties window, select the Security tab. g. Compare the ACL of each site Group Policy to the specifications for Group Policy Objects below. Group Policy Object Permissions: [Group Policy - e.g., Default Domain] :Administrators, SYSTEM :Full Control (F) :CREATOR OWNER :Full Control (F) :ENTERPRISE DOMAIN CONTROLLERS* :Read :Authenticated Users :Read, Apply Group Policy : [IAO-approved users \ user groups] : Read, Apply Group Policy 4. If the actual permissions for any AD site Group Policy object are not at least as restrictive as those above, then this is a finding. Supplemental Note: An AD instance may have no AD site Group Policies defined. 1. Groups containing authenticated users (such as the Authenticated Users group), other locally created user groups, and individual users may have the Read and Apply Group Policy permissions set to Allow or Deny. 2. The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the IAO. 3. Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the IAO.

Fix Text

Configure the access control permissions for the directory service database objects using the required access permissions.

Additional Identifiers

Rule ID: SV-15602r2_rule

Vulnerability ID: V-2370

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.