STIGQter STIGQter: STIG Summary: Microsoft Windows Server 2016 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

The Active Directory SYSVOL directory must have the proper access control permissions.

DISA Rule

SV-224971r569186_rule

Vulnerability Number

V-224971

Group Title

SRG-OS-000324-GPOS-00125

Rule Version

WN16-DC-000080

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement.

C:\Windows\SYSVOL
Type - "Allow" for all
Inherited from - "None" for all

Principal - Access - Applies to

Authenticated Users - Read & execute - This folder, subfolder, and files
Server Operators - Read & execute- This folder, subfolder, and files
Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)
CREATOR OWNER - Full control - Subfolders and files only
Administrators - Full control - Subfolders and files only
SYSTEM - Full control - This folder, subfolders, and files

Check Contents

This applies to domain controllers. It is NA for other systems.

Open a command prompt.

Run "net share".

Make note of the directory location of the SYSVOL share.

By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level.

If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding.

The default permissions noted below meet this requirement.

Open "Command Prompt".

Run "icacls c:\Windows\SYSVOL".

The following results should be displayed:

NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
BUILTIN\Administrators:(M,WDAC,WO)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M,WDAC,WO)
CREATOR OWNER:(OI)(CI)(IO)(F)

(RX) - Read & execute

Run "icacls /help" to view definitions of other permission codes.

Vulnerability Number

V-224971

Documentable

False

Rule Version

WN16-DC-000080

Severity Override Guidance

This applies to domain controllers. It is NA for other systems.

Open a command prompt.

Run "net share".

Make note of the directory location of the SYSVOL share.

By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level.

If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding.

The default permissions noted below meet this requirement.

Open "Command Prompt".

Run "icacls c:\Windows\SYSVOL".

The following results should be displayed:

NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
BUILTIN\Administrators:(M,WDAC,WO)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M,WDAC,WO)
CREATOR OWNER:(OI)(CI)(IO)(F)

(RX) - Read & execute

Run "icacls /help" to view definitions of other permission codes.

Check Content Reference

M

Target Key

4205

Comments