Information
This policy setting ensures that the Active Directory
SYSVOL
directory has proper access control permissions.
The recommended STIG state for this setting is: NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) and CREATOR OWNER:(OI)(CI)(IO)(F)
Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
Solution
Modify permissions on the SYSVOL directory, if necessary. Do not allow greater than Read & execute permissions for standard user accounts or groups. The defaults below meet this requirement:
- Open
File Explorer
- Navigate to
\Windows\SYSVOL
(or the directory noted previously if different)
- Right-click the directory and select
properties
- Select the
Security
tab
- Click
Advanced
Configure the audit permission settings.
C:\Windows\SYSVOL Type - 'Allow' for all Inherited from - 'None' for all
Principal - Access - Applies to
Authenticated Users - Read & execute - This folder, subfolder, and files Server Operators - Read & execute- This folder, subfolder, and files Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) CREATOR OWNER - Full control - Subfolders and files only Administrators - Full control - Subfolders and files only and SYSTEM - Full control - This folder, subfolders, and files
Impact:
Users that do not have access will not be able to read, modify, or delete directory data or audit trails.