Link to home
Create AccountLog in
Avatar of Albert Widjaja
Albert WidjajaFlag for Australia

asked on

SYSVOL folder permission security best practice ?

Hi All,

Can anyone here please let me know what's the security best practice for the SYSVOL folder in my domain controller ?
I've got about multiple (~12) Domain Controller/GlobalCatalog which is running 2008 R2 and 2012 R2.

From what I can see, authenticated users have unrestricted access to SYSVOL, which means they can edit logon scripts, GPO or do any malicious thing.

Any help would be greatly appreciated.

Thanks
SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Albert Widjaja

ASKER

Chris,

Thank you for the quick suggestion and reply. What I'm thinking is to secure the Authenticated Users to just Read & Write only in all of my SYSVOL folders in all 12 Domain Controllers

Would that be recommended ?

and then the testing will be:

Logging into each of the Domain Controller and execute dcdiag /test:netlogons

Source: https://technet.microsoft.com/en-us/library/cc816833%28v=ws.10%29.aspx
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
See the current scripts subdirectory inside the SYSVOL folder:

User generated image
User generated image
Can I change that into Read & Write for the Authenticated users ?
Or it is already correctly set ?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
OK, so in this case as per your observation above, does both NTFS and the Share permission looks OK or the same compared with your running Domain Controllers ?
I am not in front of my test lab to verify. But unless you've already been in there changing things, it should be fine.
Cliff, no it is the existing setting that I took from my nearest Domain Controllers.

This is the action that was mandated by my newly appointed security manager:

Ensure the permissions on SYSVOL directory do not allow greater than read & execute for standard user accounts or groups. The defaults below meet this requirement.

Name - Authenticated Users
Permission - Read & execute
Apply To - This folder, subfolder and files

Name - Server Operators
Permission - Read & execute
Apply To - This folder, subfolder and files

Name - Administrators
Permission - Special
Apply To - This folder only
(Permission - Special - Permissions: all selected except Full control, Delete subfolders and files)

Name - CREATOR OWNER
Permission - Special (Full control in Detail view)
Apply To - Subfolders and files only

Name - Administrators
Permission - Special (Full control in Detail view)
Apply To - Subfolders and files only

Name - SYSTEM
Permission - Full control
Apply To - This folder, subfolders and files


He got it from: https://www.stigviewer.com/stig/windows_server_2008_r2_domain_controller/2014-04-02/finding/V-27119
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
OK, so in this case, if I install new DC today, does the Share & NTFS permission gets replicated from one DC to another ?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks all!