UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Update access to the directory schema must be restricted to appropriate accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15372 DS00.3140_AD SV-30999r1_rule ECAN-1 ECCD-1 ECCD-2 High
Description
A failure to control update access to the AD Schema object could result in the creation of invalid directory objects and attributes. Applications that rely on AD could fail as a result of invalid formats and values. The presence of invalid directory objects and attributes could cause failures in Windows AD client functions and improper resource access decisions.
STIG Date
Active Directory Forest Security Technical Implementation Guide (STIG) 2013-03-12

Details

Check Text ( C-14100r1_chk )
1. Start a Schema management console. (See supplementary notes.)

2. Select the Active Directory Schema entry in the left pane.

3. In the console tree, right-click the Active Directory Schema and then click Permissions.

4. Compare the ACL of the Schema object to the following specifications:

:Active Directory Schema
Group: Administrators
Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization

:Active Directory Schema
Group: Authenticated Users
Permission: Read

:ENTERPRISE DOMAIN CONTROLLERS
Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization

:Schema Admins
Permissions: Read, Write, Create all Child Objects, Change Schema Master, Manage Replication Topology, Monitor Active Directory Replication, Reanimate Tombstones, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization, Update Schema Cache

:SYSTEM
Permissions: Full Control (F)

5. If any of the permissions for the Schema object are not at least as restrictive as those above, then this is a finding.

Supplemental Notes:
If the Schema management console has not already been configured on the computer, create a console by using the following instructions:

1. Register the required DLL module by typing the following at the command line. regsvr32 schmmgmt.dll

2. Start an empty console (“Start”, “Run…”, “mmc.exe”)

3. From the File (or Console) menu, select Add/Remove Snap-in.

4. On the Add/Remove Snap-in dialog, select the Add button.

5. From the Available Standalone Snap-ins list, select Active Directory Schema and the Add button.

6. On the Add Standalone Snap-in dialog, select the Close button.

7. On the Add/Remove Snap-in dialog, select the OK button.

8. When done using the console, select Exit from the File (or Console) menu.

9. Select the No button to the Save the settings… prompt (unless the SA wishes to retain this console). If the console is retained, the recommended name is schmmgmt.msc and the recommended location is the [systemroot]\system32 directory.
Fix Text (F-15008r1_fix)
Change the access control permissions for the AD Schema object to conform to the required Schema Object Permissions as shown below.

:Active Directory Schema
Group: Administrators
Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization

:Active Directory Schema
Group: Authenticated Users
Permission: Read

:ENTERPRISE DOMAIN CONTROLLERS
Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization

:Schema Admins
Permissions: Read, Write, Create all Child Objects, Change Schema Master, Manage Replication Topology, Monitor Active Directory Replication, Reanimate Tombstones, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization, Update Schema Cache

:SYSTEM
Permissions: Full Control (F)