Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.

An XCCDF Rule

Description

<VulnDiscussion>To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-205875r569188_rule
Severity: High
References: CCI-000366
Updated: 8 months ago

Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access.

For AD, there are multiple configuration items that could enable anonymous access.

Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc).
The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.

Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.

Description

Remediation - Manual Procedure