STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021: STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:SV-226072r569184_rule
V-226072
SRG-OS-000324-GPOS-00125
WN12-AD-000003-DC
CAT I
10
Ensure the permissions on Group Policy objects do not allow greater than Read and Apply group policy for standard user accounts or groups. The default permissions below meet this requirement.
Authenticated Users - Read, Apply group policy, Special permissions
The Special permissions for Authenticated Users are for Read type Properties.
CREATOR OWNER - Special permissions
SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions
Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Document any other access permissions that allow the objects to be updated with the ISSO.
The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.
Verify the permissions on Group Policy objects.
Open "Group Policy Management". (Available from various menus or run "gpmc.msc".)
Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain).
For each Group Policy object:
Select the Group Policy object item in the left pane.
Select the Delegation tab in the right pane.
Select the Advanced button.
If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding.
Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO.
The default permissions noted below meet this requirement.
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button.
Authenticated Users - Read, Apply group policy, Special permissions
The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties.
CREATOR OWNER - Special permissions
SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions
Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.
The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO.
V-226072
False
WN12-AD-000003-DC
Verify the permissions on Group Policy objects.
Open "Group Policy Management". (Available from various menus or run "gpmc.msc".)
Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain).
For each Group Policy object:
Select the Group Policy object item in the left pane.
Select the Delegation tab in the right pane.
Select the Advanced button.
If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding.
Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO.
The default permissions noted below meet this requirement.
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button.
Authenticated Users - Read, Apply group policy, Special permissions
The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties.
CREATOR OWNER - Special permissions
SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions
Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.
The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO.
M
4217