| This applies to domain controllers. It is NA for other systems. |
Open a command prompt.
Run "net share".
Make note of the directory location of the SYSVOL share.
By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level.
If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding.
The default permissions noted below meet this requirement:
Open "Command Prompt".
Run "icacls c:\Windows\SYSVOL".
The following results should be displayed:
NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
(RX) - Read & execute
Run "icacls /help" to view definitions of other permission codes.
Alternately, open "File Explorer".
Navigate to \Windows\SYSVOL (or the directory noted previously if different).
Right-click the directory and select properties.
Select the "Security" tab and click "Advanced".
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
Authenticated Users - Read & execute - This folder, subfolder, and files
Server Operators - Read & execute- This folder, subfolder, and files
Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)
CREATOR OWNER - Full control - Subfolders and files only
Administrators - Full control - Subfolders and files only
SYSTEM - Full control - This folder, subfolders, and files