Changes to the AD schema must be subject to a documented configuration management process.

From Active Directory Forest Security Technical Implementation Guide (STIG)

Part of Schema Change Configuration Management

Associated with IA controls: DCPR-1

Associated with: CCI-000366

SV-30998r3_rule Changes to the AD schema must be subject to a documented configuration management process.

Vulnerability discussion

Poorly planned or implemented changes to the AD schema could cause the applications that rely on AD (such as web and database servers) to operate incorrectly or not all.Improper changes to the schema could result in changes to AD objects that are incompatible with correct operation of the Windows domain controller and the domain clients. This could cause outages that prevent users from logging on or accessing Windows server resources across multiple hosts.

Check content

1. Interview the IAO. 2. Obtain a copy of the site’s configuration management procedures documentation. 3. Verify that there is a local policy that requires changes to the directory schema to be processed through a configuration management process. This applies to directory schema changes whether implemented in a database or other types of files. For AD, this refers to changes to the AD schema. 4. If there is no policy that requires changes to the directory schema to be processed through a configuration management process, then this is a finding.

Fix text

Document and implement a policy to ensure that changes to the AD schema are subject to a configuration management process.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.