Detections
Analytics
20.3 Ensure 'Active Directory Domain Controllers Organizational Unit (OU) object have the proper access control permissions' (STIG DC only)
Information
This policy setting ensures that Active Directory Domain Controllers Organizational Unit (OU) objects have the proper access control permissions.The recommended STIG state for this setting is: System Domain Admins Enterprise Admins and Administrators
When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.
The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain. Inappropriate access permissions defined for the Domain Controllers OU could allow intruders or unauthorized personnel to make changes that could lead to the compromise of the domain.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Limit the permissions on the Domain Controllers OU to restrict changes to: System Domain Admins Enterprise Admins and Administrators- Open
Active Directory Users and Computers
- Ensure
Advanced Features
is selected in the
View
menu
- Select the
Domain Controllers
OU
- Right-click and select
Properties
- Select the
Security
tab
Ensure the permissions are set to the above recommendation.
Note The default permissions listed below satisfy this requirement. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the
Advanced
button, the desired Permission entry, and the
View
or
Edit
button.
Note #2 Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.
Summary:
CREATOR OWNER - Special permissions SELF - Special permissions and Authenticated Users - Read, Special permissions
The special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties it is not in compliance with this recommendation.
Detailed:
SYSTEM - Full Control Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), and Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions and ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Note: The Special permissions for Pre-Windows 2000 Compatible Access are Read types.
Note #2: If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties it is not in compliance with this recommendation.
Impact:
Only authorized users will have access control permissions.
See Also
Item Details
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2
Plugin: Windows
Control ID: 2cf31b861a01c51f72ea5ecea3a173e3c5d1d4ee96aa4aefbc6da0a64425af49