Title

ACLs for system files and directories do not conform to minimum requirements. (Cat II impact)

Discussion

Failure to properly configure file and directory permissions (ACLs) allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.

Check Content

The default ACL settings are adequate when the Security Option “Network access: Let everyone permissions apply to anonymous users” is set to “Disabled” (V-3377) and Power User Group Membership is restricted. If the default ACLs are maintained, the referenced option is set to “Disabled” and Powers Users are restricted, this check should normally be marked not a finding. The Power Users group is included in later Windows versions for backward compatibility. If an ACL setting prevents a site’s applications from performing properly, the site can modify that specific setting. Settings should only be changed to the minimum necessary for the application to function. Each exception to the recommended settings should be documented and kept on file by the IAO.

Fix Text

Maintain the default file ACLs, configure the Security Option: “Network access: Let everyone permissions apply to anonymous users” to “Disabled” (V-3377) and restrict the Power Users group to include no members.

Additional Identifiers

Rule ID: SV-16968r1_rule

Vulnerability ID: V-1130

Group Title: System File ACLs

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.