Details
This security setting determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization.
The recommended state for this setting is: No One.
Rationale:
The Synchronize directory service data user right affects Domain Controllers; only Domain Controllers should be able to synchronize directory service data. Domain Controllers have this user right inherently, because the synchronization process runs in the context of the System account on Domain Controllers. Attackers who have this user right can view all information stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses.
Solution
To establish the recommended configuration via GP, set the following UI path to No One:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentSynchronize directory service data
Impact:
None – this is the default behavior.
Default Value:
No one.
References:
CCE-36099-0
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Windows.