Detections
Analytics

5.7 DB2_GRP_LOOKUP Registry Variable (Windows only)

Information

The DB2_GRP_LOOKUP registry variable specifies which Windows security mechanism is used to enumerate the groups that a user belongs to. Periodic review of this variable is required to ensure that the correct location is being used for group definitions during authentication.

Rationale:

Incorrectly configured DB2_GRP_LOOKUP registry variable could result in unexpected authorization behavior where a low privileged user could potentially get access to sensitive data.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the following command to set the DB2_GRP_LOOKUP registry variable to the appropriate location for group lookup:

db2set DB2_GRP_LOOKUP=<location for group lookup>

See Also

https://workbench.cisecurity.org/benchmarks/23492

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Windows

Control ID: ace1518eb5813ed1a9b0305d3a7b0a5b08b21e0259ad6155f034aa1013019ebe