Windows Server 2025 permissions on the Active Directory data files must only allow system administrators (SAs) access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278138 | WN25-DC-000070 | SV-278138r1182081_rule | CCI-002235 | high |
| Description | ||||
| Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000206-GPOS-00084 | ||||
| STIG | Date | |||
| Microsoft Windows Server 2025 Security Technical Implementation Guide | 2026-02-20 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-6(10)
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.7
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002235
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-278138r1182081_chk)
This applies to domain controllers. It is not applicable for other systems.
Run "Regedit".
Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters".
Note the directory locations in the values for:
Database log files path
DSA Database file
By default, they will be \Windows\NTDS.
If the locations are different, run the following for each:
Open "command prompt (Admin)".
Navigate to the NTDS directory (\Windows\NTDS by default).
Run "icacls *.*".
If the permissions on each file are not as restrictive as the following, this is a finding:
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
(I) - permission inherited from parent container
(F) - full access
Fix Text (F-82573r1181119_fix)
Maintain the permissions on NTDS database and log files as follows:
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
(I) - permission inherited from parent container
(F) - full access