Windows Server 2025 permissions on the Active Directory data files must only allow system administrators (SAs) access.

STIG ID: WN25-DC-000070  |  SRG: SRG-OS-000324-GPOS-00125 |  Severity: high (CAT I)  |  CCI: CCI-002235,CCI-001314 |  Vulnerability Id: V-278138

Vulnerability Discussion

Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.

Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000206-GPOS-00084

Check

This applies to domain controllers. It is not applicable for other systems.

Run "Regedit".

Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters".

Note the directory locations in the values for:

Database log files path
DSA Database file

By default, they will be \Windows\NTDS.

If the locations are different, run the following for each:

Open "command prompt (Admin)".

Navigate to the NTDS directory (\Windows\NTDS by default).

Run "icacls *.*".

If the permissions on each file are not as restrictive as the following, this is a finding:

NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)

(I) - permission inherited from parent container
(F) - full access

Fix

Maintain the permissions on NTDS database and log files as follows:

NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)

(I) - permission inherited from parent container
(F) - full access
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.