Detections
Analytics

WN12-AD-000003-DC - Active Directory Group Policy objects must have proper access control permissions.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service.

For Active Directory (AD), the Group Policy objects require special attention. In a distributed administration model (i.e., help desk), Group Policy objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Ensure the permissions on Group Policy objects do not allow greater than Read and Apply group policy for standard user accounts or groups. The default permissions below meet this requirement.

Authenticated Users - Read, Apply group policy, Special permissions
The Special permissions for Authenticated Users are for Read type Properties.

CREATOR OWNER - Special permissions

SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions

Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions

Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions

ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions

Document any other access permissions that allow the objects to be updated with the ISSO.

The Domain Admins and Enterprise Admins will not have the 'Delete all child objects' permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R4_STIG.zip

Item Details

References: CAT|I, CCI|CCI-002235, Rule-ID|SV-226072r794772_rule, STIG-ID|WN12-AD-000003-DC, STIG-Legacy|SV-51177, STIG-Legacy|V-33673, Vuln-ID|V-226072

Plugin: Windows

Control ID: b228bf62d59596b51bb96090a48dd7c762175b296365758c7d0d918b50f3444b