WN12-AD-000001-DC - Active Directory data files must have proper access control permissions.

Information

Improper access permissions for directory data related files could allow unauthorized users to read, modify, or delete directory data or audit trails.

Solution

Ensure the permissions on NTDS database and log files are at least as restrictive as the following:
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)

(I) - permission inherited from parent container
(F) - full access

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R4_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CAT|I, CCI|CCI-002235, Rule-ID|SV-226070r794318_rule, STIG-ID|WN12-AD-000001-DC, STIG-Legacy|SV-51175, STIG-Legacy|V-8316, Vuln-ID|V-226070

Plugin: Windows

Control ID: 6fa9114b1805b49c1d86ab26809b5e63e2b68f5784356181cf66b5f67c645672