From Windows Server 2008 R2 Domain Controller Security Technical Implementation Guide
Part of WINAD-000005-DC
Associated with: CCI-002235
When Active Directory (AD) objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.
Verify the permissions on domain defined OUs. Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) Select Advanced Features in the View menu if not previously selected. For each OU that is defined (folder in folder icon), excluding the Domain Controllers OU: Right click the OU and select Properties. Select the Security tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry and the Edit button. Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an IAO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented with the IAO.
Maintain the permissions on domain defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above read with the IAO if an approved distributed administration model (help desk or other user support staff) is implemented. Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer