asked on SYSVOL folder permission security best practice ?
Hi All,
Can anyone here please let me know what's the security best practice for the SYSVOL folder in my domain controller ?
I've got about multiple (~12) Domain Controller/GlobalCatalog which is running 2008 R2 and 2012 R2.
From what I can see, authenticated users have unrestricted access to SYSVOL, which means they can edit logon scripts, GPO or do any malicious thing.
Any help would be greatly appreciated.
Thanks
Can anyone here please let me know what's the security best practice for the SYSVOL folder in my domain controller ?
I've got about multiple (~12) Domain Controller/GlobalCatalog which is running 2008 R2 and 2012 R2.
From what I can see, authenticated users have unrestricted access to SYSVOL, which means they can edit logon scripts, GPO or do any malicious thing.
Any help would be greatly appreciated.
Thanks
Microsoft Server OSActive DirectoryOS SecuritySecurityExchange
Last Comment
Albert Widjaja
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
See the current scripts subdirectory inside the SYSVOL folder:
![SYSVOL script]()
![Shared permission]()
Can I change that into Read & Write for the Authenticated users ?
Or it is already correctly set ?
Can I change that into Read & Write for the Authenticated users ?
Or it is already correctly set ?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
OK, so in this case as per your observation above, does both NTFS and the Share permission looks OK or the same compared with your running Domain Controllers ?
I am not in front of my test lab to verify. But unless you've already been in there changing things, it should be fine.
ASKER
Cliff, no it is the existing setting that I took from my nearest Domain Controllers.
This is the action that was mandated by my newly appointed security manager:
He got it from: https://www.stigviewer.com/stig/windows_server_2008_r2_domain_controller/2014-04-02/finding/V-27119
This is the action that was mandated by my newly appointed security manager:
Ensure the permissions on SYSVOL directory do not allow greater than read & execute for standard user accounts or groups. The defaults below meet this requirement.
Name - Authenticated Users
Permission - Read & execute
Apply To - This folder, subfolder and files
Name - Server Operators
Permission - Read & execute
Apply To - This folder, subfolder and files
Name - Administrators
Permission - Special
Apply To - This folder only
(Permission - Special - Permissions: all selected except Full control, Delete subfolders and files)
Name - CREATOR OWNER
Permission - Special (Full control in Detail view)
Apply To - Subfolders and files only
Name - Administrators
Permission - Special (Full control in Detail view)
Apply To - Subfolders and files only
Name - SYSTEM
Permission - Full control
Apply To - This folder, subfolders and files
He got it from: https://www.stigviewer.com/stig/windows_server_2008_r2_domain_controller/2014-04-02/finding/V-27119
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
OK, so in this case, if I install new DC today, does the Share & NTFS permission gets replicated from one DC to another ?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks all!
Thank you for the quick suggestion and reply. What I'm thinking is to secure the Authenticated Users to just Read & Write only in all of my SYSVOL folders in all 12 Domain Controllers
Would that be recommended ?
and then the testing will be:
Logging into each of the Domain Controller and execute dcdiag /test:netlogons
Source: https://technet.microsoft.com/en-us/library/cc816833%28v=ws.10%29.aspx