Title

Access control permissions on the AD database, log, and work files must conform to the required guidance. (Cat I impact)

Discussion

Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.

Check Content

I. AD Database, Log, and Work Files 1. Use Registry Editor to navigate to HKLM\System\CurrentControlSet\Services\NTDS\Parameters. 2. Note the values for: -- DSA Database file -- Database log files path -- DSA Working Directory. 3. Navigate to the directory locations using Windows Explorer. 4. Verify the ACLs of the AD database, log, and work files with the following: AD Database, Log, and Work Files Permissions: ...\ntds.dit :Administrators, SYSTEM : Full Control (F) ...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F) ...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F) [Note: The directory in which these files reside (usually ...\NTDS) may have permissions defined for CREATOR OWNER and Local Service, but these permissions apply at the directory level only, not to the individual files identified here.] 5. If the permissions are not at least as restrictive as required, then this is a finding.

Fix Text

Ensure the access control permissions on the AD database, log, and work files are set as follows: ...\ntds.dit :Administrators, SYSTEM : Full Control (F) ...\edb*.log, ...\res*.log :Administrators, SYSTEM : Full Control (F) ...\temp.edb, ...\edb.chk :Administrators, SYSTEM : Full Control (F)

Additional Identifiers

Rule ID: SV-15601r3_rule

Vulnerability ID: V-8316

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.