Check: DS00.0210_AD
Win2k8 Audit:
DS00.0210_AD
(in version v6 r1.22)
Title
The Synchronize Directory Service Data user right must not be assigned to any account. (Cat I impact)
Discussion
A Windows account with the Synchronize Directory Service Data right has the ability to read all information in the AD database. This bypasses the object access permissions that would otherwise restrict access to the data. The scope of access granted by this right is too broad for secure usage. Specific object permissions or other group membership assignments could be used to provide access on an appropriate scale.
Check Content
Fix Text
If any accounts (including groups) are assigned the Synchronize Directory Service Data Right, then remove this right from the account.
Additional Identifiers
Rule ID: SV-13345r1_rule
Vulnerability ID: V-12780
Group Title: Synchronize Directory Service Data
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| No CCIs are assigned to this check |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| No controls are assigned to this check |