20.43 Ensure 'Organization created Active Directory Organizational Unit (OU) objects have proper access control permissions' (STIG DC only)

Information

This policy setting ensures that Active Directory Organizational Unit (OU) objects that are created by the organization have proper access control permissions.

The recommended STIG state for this setting is: CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions and ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

Note: The special permissions for Authenticated Users are Read type.

Note #2: The special permissions for Pre-Windows 2000 Compatible Access are for Read types.

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.

For Active Directory, the OU objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service (DoS) to authorized users.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Maintain the Allow type permissions on organization-defined OUs to be at least as restrictive as the defaults below.

- Open

Active Directory Users and Computers

- Ensure

Advanced Features

is selected in the

View

menu

For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU:

- Right-click the OU and select

Properties

- Select the

Security

tab

Set the permission to the following: CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions and ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

Note: The special permissions for Authenticated Users are Read type.

Note #2: The special permissions for Pre-Windows 2000 Compatible Access are for Read types.

Note #3: Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented.

Impact:

Only authorized users will have access control permissions.

See Also

https://workbench.cisecurity.org/benchmarks/15301