Detections
Analytics
WN22-DC-000110 - Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service.For Active Directory, the OU objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service (DoS) to authorized users.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Maintain the Allow type permissions on domain-defined OUs to be at least as restrictive as the defaults below.Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented.
CREATOR OWNER - Special permissions
Self - Special permissions
Authenticated Users - Read, Special permissions
The special permissions for Authenticated Users are Read type.
SYSTEM - Full Control
Domain Admins - Full Control
Enterprise Admins - Full Control
Key Admins - Special permissions
Enterprise Key Admins - Special permissions
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Pre-Windows 2000 Compatible Access - Special permissions
The special permissions for Pre-Windows 2000 Compatible Access are for Read types.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R1_STIG.zip
Item Details
Audit Name: DISA Windows Server 2022 STIG v1r1
References: CAT|I, CCI|CCI-002235, Rule-ID|SV-254395r849001_rule, STIG-ID|WN22-DC-000110, Vuln-ID|V-254395
Plugin: Windows
Control ID: 6e5a20ded3dcf0e513963a00d1c14a87b8aedb6f2f7a15e3335f3a3f09e2a816