5.8 DB2_GRP_LOOKUP Registry Variable (Windows only)

Information

The DB2_GRP_LOOKUP registry variable specifies which Windows security mechanism is used to enumerate the groups that a user belongs to. Periodic review of this variable is required to ensure that the correct location is being used for group definitions during authentication.

Rationale:

Incorrectly configured DB2_GRP_LOOKUP registry variable could result in unexpected authorization behavior where a low privileged user could potentially get access to sensitive data.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the following command to set the DB2_GRP_LOOKUP registry variable to the appropriate location for group lookup:

db2set DB2_GRP_LOOKUP=<location for group lookup>

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Windows

Control ID: 834d0bb23aafbff9ee82f176b16bd8826fa37007663ef1f5e3e3a457885e1eba