Update access to the directory schema must be restricted to appropriate accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15372 | DS00.3140_AD | SV-30999r1_rule | ECAN-1 ECCD-1 ECCD-2 | High |
| Description |
|---|
| A failure to control update access to the AD Schema object could result in the creation of invalid directory objects and attributes. Applications that rely on AD could fail as a result of invalid formats and values. The presence of invalid directory objects and attributes could cause failures in Windows AD client functions and improper resource access decisions. |
| STIG | Date |
|---|---|
| Active Directory Forest Security Technical Implementation Guide (STIG) | 2013-03-12 |
Details
| Check Text ( C-14100r1_chk ) |
|---|
| 1. Start a Schema management console. (See supplementary notes.) 2. Select the Active Directory Schema entry in the left pane. 3. In the console tree, right-click the Active Directory Schema and then click Permissions. 4. Compare the ACL of the Schema object to the following specifications: :Active Directory Schema Group: Administrators Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization :Active Directory Schema Group: Authenticated Users Permission: Read :ENTERPRISE DOMAIN CONTROLLERS Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization :Schema Admins Permissions: Read, Write, Create all Child Objects, Change Schema Master, Manage Replication Topology, Monitor Active Directory Replication, Reanimate Tombstones, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization, Update Schema Cache :SYSTEM Permissions: Full Control (F) 5. If any of the permissions for the Schema object are not at least as restrictive as those above, then this is a finding. Supplemental Notes: If the Schema management console has not already been configured on the computer, create a console by using the following instructions: 1. Register the required DLL module by typing the following at the command line. regsvr32 schmmgmt.dll 2. Start an empty console (“Start”, “Run…”, “mmc.exe”) 3. From the File (or Console) menu, select Add/Remove Snap-in. 4. On the Add/Remove Snap-in dialog, select the Add button. 5. From the Available Standalone Snap-ins list, select Active Directory Schema and the Add button. 6. On the Add Standalone Snap-in dialog, select the Close button. 7. On the Add/Remove Snap-in dialog, select the OK button. 8. When done using the console, select Exit from the File (or Console) menu. 9. Select the No button to the Save the settings… prompt (unless the SA wishes to retain this console). If the console is retained, the recommended name is schmmgmt.msc and the recommended location is the [systemroot]\system32 directory. |
| Fix Text (F-15008r1_fix) |
|---|
| Change the access control permissions for the AD Schema object to conform to the required Schema Object Permissions as shown below. :Active Directory Schema Group: Administrators Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization :Active Directory Schema Group: Authenticated Users Permission: Read :ENTERPRISE DOMAIN CONTROLLERS Permissions: Manage Replication Topology, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization :Schema Admins Permissions: Read, Write, Create all Child Objects, Change Schema Master, Manage Replication Topology, Monitor Active Directory Replication, Reanimate Tombstones, Replicate Directory Changes, Replicating Directory Changes [All], Replication Synchronization, Update Schema Cache :SYSTEM Permissions: Full Control (F) |