SV-205743r569188_rule
V-205743
SRG-OS-000324-GPOS-00125
WN19-DC-000110
CAT I
10
Maintain the Allow type permissions on domain-defined OUs to be at least as restrictive as the defaults below.
Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented.
CREATOR OWNER - Special permissions
Self - Special permissions
Authenticated Users - Read, Special permissions
The special permissions for Authenticated Users are Read type.
SYSTEM - Full Control
Domain Admins - Full Control
Enterprise Admins - Full Control
Key Admins - Special permissions
Enterprise Key Admins - Special permissions
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Pre-Windows 2000 Compatible Access - Special permissions
The special permissions for Pre-Windows 2000 Compatible Access are for Read types.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
This applies to domain controllers. It is NA for other systems.
Review the permissions on domain-defined OUs.
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
Ensure "Advanced Features" is selected in the "View" menu.
For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU:
Right-click the OU and select "Properties".
Select the "Security" tab.
If the Allow type permissions on the OU are not at least as restrictive as those below, this is a finding.
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button.
Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.
CREATOR OWNER - Special permissions
Self - Special permissions
Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
SYSTEM - Full Control
Domain Admins - Full Control
Enterprise Admins - Full Control
Key Admins - Special permissions
Enterprise Key Admins - Special permissions
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO.
If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts).
If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).
V-205743
False
WN19-DC-000110
This applies to domain controllers. It is NA for other systems.
Review the permissions on domain-defined OUs.
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
Ensure "Advanced Features" is selected in the "View" menu.
For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU:
Right-click the OU and select "Properties".
Select the "Security" tab.
If the Allow type permissions on the OU are not at least as restrictive as those below, this is a finding.
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button.
Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.
CREATOR OWNER - Special permissions
Self - Special permissions
Authenticated Users - Read, Special permissions
The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
SYSTEM - Full Control
Domain Admins - Full Control
Enterprise Admins - Full Control
Key Admins - Special permissions
Enterprise Key Admins - Special permissions
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO.
If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts).
If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).
M
2907