Check: AD.0017
Active Directory Forest STIG (STIG):
AD.0017
(in versions v2 r8 through v2 r7)
Title
Membership to the Schema Admins group must be limited. (Cat II impact)
Discussion
The Schema Admins group is a privileged group in a forest root domain. Members of the Schema Admins group can make changes to the schema, which is the framework for the Active Directory forest. Changes to the schema are not frequently required. This group only contains the Built-in Administrator account by default. Additional accounts must only be added when changes to the schema are necessary and then must be removed.
Check Content
Open "Active Directory Users and Computers" on a domain controller in the forest root domain. Navigate to the "Users" container. Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab. If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO. If any accounts are members of the group when schema changes are not being made, this is a finding.
Fix Text
Limit membership in the Schema Admins group to only those accounts necessary during a schema update. Remove accounts when the updates are complete. Document accounts necessary during schema updates with the ISSO.
Additional Identifiers
Rule ID: SV-87487r1_rule
Vulnerability ID: V-72835
Group Title: AD.0017
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |