Vulnerability V-224832

V-224832

CAT II

Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.

Ships Affected: 1
Total Findings: 8
Open: 0
Closed: 8

Check Text

The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) If permissions are not as restrictive as the default permissions listed below, this is a finding. Viewing in File Explorer: View the Properties of the system drive's root directory. Select the "Security" tab, and the "Advanced" button. Default permissions: C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only Alternately, use icacls: Open "Command Prompt (Admin)". Enter "icacls" followed by the directory: "icacls c:\" The following results should be displayed: c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(AD) BUILTIN\Users:(CI)(IO)(WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files

Fix Text

Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default Permissions C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full control - This folder, subfolders, and files Administrators - Full control - This folder, subfolders, and files Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only

STIG Reference

STIG: Microsoft Windows Server 2016 Security Technical Implementation Guide
Version: 2
Release: 10
Rule ID: SV-224832r958702_rule

All Occurrences

This vulnerability appears on 1 ship(s)

Ship	Hull #	Source File	Assigned To	Scan Date	Actions
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl	Unassigned	2026-01-14T12:57:42.721079	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl	Unassigned	2026-01-14T12:57:41.363810	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl	Unassigned	2026-01-14T12:57:39.082634	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl	Unassigned	2026-01-14T12:57:37.248886	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl	Unassigned	2026-01-14T12:57:35.637816	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl	Unassigned	2026-01-14T12:57:33.842838	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl	Unassigned	2026-01-14T12:57:31.534241	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl	Unassigned	2026-01-14T12:57:30.046447	View in Context