1.1.1.2.3.19 Configure 'Synchronize directory service data'

Information

The Synchronize directory service data user right affects domain controllers; only domain controllers should be able to synchronize directory service data. Domain controllers have this user right inherently, because the synchronization process runs in the context of the System account on domain controllers. Attackers who have this user right can view all information stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Synchronize directory service data

Impact- None. This is the default configuration.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(7), CCE|CCE-3368-8

Plugin: Windows

Control ID: bda5e3768948faadb95ce20f8099d1f291b6a7212e715a499e2a2b8a1712240c