Microsoft Windows Server 2022

Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions

STIG ID: WN22-DC-000080 | SRG: SRG-OS-000324-GPOS-00125 | Severity: High | CCI: CCI-002235 | Vulnerability ID: V-254392

Description

Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Data in shared subdirectories are replicated to all domain controllers in a domain.

Check

C-57877r848990_chk

This applies to domain controllers. It is NA for other systems.Open a command prompt.Run "net share".Make note of the directory location of the SYSVOL share.By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level.If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. The default permissions noted below meet this requirement:Open "Command Prompt".Run "icacls c:\Windows\SYSVOL".The following results must be displayed:NT AUTHORITY\Authenticated Users:(RX)NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)BUILTIN\Server Operators:(RX)BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)BUILTIN\Administrators:(M,WDAC,WO)BUILTIN\Administrators:(OI)(CI)(IO)(F)NT AUTHORITY\SYSTEM:(F)NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)CREATOR OWNER:(OI)(CI)(IO)(F)(RX) - Read & execute Run "icacls /help" to view definitions of other permission codes.

Fix

F-57828r848991_fix

Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement:C:\Windows\SYSVOLType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toAuthenticated Users - Read & execute - This folder, subfolder, and filesServer Operators - Read & execute- This folder, subfolder, and filesAdministrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)CREATOR OWNER - Full control - Subfolders and files onlyAdministrators - Full control - Subfolders and files onlySYSTEM - Full control - This folder, subfolders, and files