Title

The Synchronize directory service data user right must be configured to include no accounts or groups (blank). (Cat I impact)

Discussion

A Windows account with the "Synchronize directory service data" right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale.

Check Content

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Synchronize directory service data" to be defined but containing no entries (blank).

Additional Identifiers

Rule ID: SV-54939r1_rule

Vulnerability ID: V-12780

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.