Conduct periodic access reviews to ensure only authorized users have access.
389-DPC-003 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-DPC-003 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-2, AC-2(3), AC-6 |
| DISA SRG | SRG-APP-000516 |
Rationale¶
Access grants in a directory server accrete over time as users change roles, leave the organisation, or as one-off exceptions are added and never cleaned up. Automated preventive controls - lockout policies, TLS enforcement, ACI syntax rules - cannot detect grants that were correct when created but are no longer appropriate; only a human review can confirm that each privilege still maps to a current business requirement. Orphaned accounts that remain in high-privilege groups and overly broad ACIs that were never scoped down represent a persistent, low-visibility attack surface: a compromised credential for a former employee or a service account with excess rights gives an attacker ready access to sensitive directory data. NIST SP 800-53 AC-2 requires periodic review and revalidation of account access, AC-2(3) mandates removal of accounts no longer requiring access, and AC-6 enforces least-privilege; without a scheduled review cadence all three degrade silently between audits.
Check¶
Export current ACIs and privileged group membership for review.
ldapsearch -x -o ldif-wrap=no -D "cn=Directory Manager" -W -b <suffix> aci
ldapsearch -x -o ldif-wrap=no -D "cn=Directory Manager" -W -b <suffix> "(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))" member uniqueMember
Remediation¶
Establish a scheduled access review of ACIs and privileged group membership with recorded sign-off.
# Schedule (e.g. quarterly) a review: export the ACIs and group memberships above,
# have data owners confirm each grant is still required, remove stale grants with
# ldapmodify, and record the review date and approver.
echo "Schedule and document periodic access reviews; this is a process control."
References¶
Implementation Notes¶
This is a recurring process control; the check commands above produce the two primary inputs needed for each review cycle: the full ACI set on the directory tree and the membership of all group entries. Reviewers should confirm that every ACI grant maps to a current business requirement, that no deprovisioned accounts remain in privileged groups, and that group nesting does not inadvertently extend access beyond what is intended. Stale ACIs should be removed with ldapmodify (delete the specific aci value from the entry); stale group members should be removed with ldapmodify targeting the member or uniqueMember attribute on the group entry. Track each review cycle in a durable record that captures the review date, the reviewer's identity, and any changes made - this record is the primary evidence artifact for compliance audits. A quarterly cadence is a common baseline; adjust frequency to match your organization's risk posture and the sensitivity of the data protected by the directory.