STIGQter: STIG Summary: Active Directory Forest Security Technical Implementation Guide (STIG) Version: 2 Release: 8 Benchmark Date: 27 Jul 2018:

Membership to the Schema Admins group must be limited.

DISA Rule

SV-87487r1_rule

Vulnerability Number

V-72835

Group Title

AD.0017

Rule Version

AD.0017

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Limit membership in the Schema Admins group to only those accounts necessary during a schema update. Remove accounts when the updates are complete. Document accounts necessary during schema updates with the ISSO.

Check Contents

Open "Active Directory Users and Computers" on a domain controller in the forest root domain.

Navigate to the "Users" container.

Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab.

If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO.

If any accounts are members of the group when schema changes are not being made, this is a finding.

Vulnerability Number

V-72835

Documentable

False

Rule Version

AD.0017

Severity Override Guidance

Open "Active Directory Users and Computers" on a domain controller in the forest root domain.

Navigate to the "Users" container.

Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab.

If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO.

If any accounts are members of the group when schema changes are not being made, this is a finding.

Check Content Reference

M

Target Key

871

Comments