Check: DS00.0100_AD
Active Directory Forest STIG (STIG):
DS00.0100_AD
(in versions v2 r8 through v2 r7)
Title
Changes to the AD schema must be subject to a documented configuration management process. (Cat III impact)
Discussion
Poorly planned or implemented changes to the AD schema could cause the applications that rely on AD (such as web and database servers) to operate incorrectly or not all. Improper changes to the schema could result in changes to AD objects that are incompatible with correct operation of the Windows domain controller and the domain clients. This could cause outages that prevent users from logging on or accessing Windows server resources across multiple hosts.
Check Content
1. Interview the IAO. 2. Obtain a copy of the site’s configuration management procedures documentation. 3. Verify that there is a local policy that requires changes to the directory schema to be processed through a configuration management process. This applies to directory schema changes whether implemented in a database or other types of files. For AD, this refers to changes to the AD schema. 4. If there is no policy that requires changes to the directory schema to be processed through a configuration management process, then this is a finding.
Fix Text
Document and implement a policy to ensure that changes to the AD schema are subject to a configuration management process.
Additional Identifiers
Rule ID: SV-30998r3_rule
Vulnerability ID: V-8527
Group Title: Schema Change Configuration Management
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |