STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide Version: 1 Release: 31 Benchmark Date: 26 Jul 2019: Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.

DISA Rule

SV-56720r1_rule

Vulnerability Number

V-39333

Group Title

WINAD-000005-DC

Rule Version

WINAD-000005-DC_2008_R2

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Maintain the permissions on domain defined OUs to be at least as restrictive as the defaults below.

Document any additional permissions above read with the IAO if an approved distributed administration model (help desk or other user support staff) is implemented.

Self - Special permissions

Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

SYSTEM - Full Control

Domain Admins - Full Control

Enterprise Admins - Full Control

Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

Check Contents

Verify the permissions on domain defined OUs.

Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Select Advanced Features in the View menu if not previously selected.

For each OU that is defined (folder in folder icon), excluding the Domain Controllers OU:
Right click the OU and select Properties.
Select the Security tab.

If the permissions on the OU are not at least as restrictive as those below, this is a finding.

The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry and the Edit button.

Self - Special permissions

Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

SYSTEM - Full Control

Domain Admins - Full Control

Enterprise Admins - Full Control

Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented with the IAO.

Vulnerability Number

V-39333

Documentable

False

Rule Version

WINAD-000005-DC_2008_R2

Severity Override Guidance

Verify the permissions on domain defined OUs.

Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".)
Select Advanced Features in the View menu if not previously selected.

For each OU that is defined (folder in folder icon), excluding the Domain Controllers OU:
Right click the OU and select Properties.
Select the Security tab.

If the permissions on the OU are not at least as restrictive as those below, this is a finding.

The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry and the Edit button.

Self - Special permissions

Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

SYSTEM - Full Control

Domain Admins - Full Control

Enterprise Admins - Full Control

Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions

Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.

ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented with the IAO.

Check Content Reference

M

Target Key

1823

Comments