20.53 Ensure 'Permissions on Active Directory data files only allow System and Administrator access' (STIG DC only)

Information

This policy setting ensures that permissions on Active Directory data files only allow System and Administrator access.

Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.

Solution

Change the permissions on the

NTDS database

and

log files

to the following:

NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)

(I) - permission inherited from parent container

(F) - full access

Impact:

Users that do not have Administrator access will not be able to read, modify, or delete directory data or audit trails.

See Also

https://workbench.cisecurity.org/benchmarks/15105