An error occurred:

Check: WN16-DC-000080

Microsoft Windows Server 2016 STIG: WN16-DC-000080 (in versions v2 r8 through v2 r2)

Title

The Active Directory SYSVOL directory must have the proper access control permissions. (Cat I impact)

Discussion

Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Data in shared subdirectories are replicated to all domain controllers in a domain.

Check Content

This applies to domain controllers. It is NA for other systems. Open a command prompt. Run "net share". Make note of the directory location of the SYSVOL share. By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement. Open "Command Prompt". Run "icacls c:\Windows\SYSVOL". The following results should be displayed: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) (RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.

Fix Text

Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement. C:\Windows\SYSVOL Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only SYSTEM - Full control - This folder, subfolders, and files

Additional Identifiers

Rule ID: SV-224971r877392_rule

Vulnerability ID: V-224971

Group Title: SRG-OS-000324-GPOS-00125

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002235

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6 (10)

Prohibit Non-Privileged Users From Executing Privileged Functions