V-243505
SV-243505r1026206_rule
CAT III
Changes to the AD schema must be subject to a documented configuration management process.
From: Active Directory Forest Security Technical Implementation Guide (V3R2)
Description
<VulnDiscussion>Poorly planned or implemented changes to the AD schema could cause the applications that rely on AD (such as web and database servers) to operate incorrectly or not all.
Improper changes to the schema could result in changes to AD objects that are incompatible with correct operation of the Windows domain controller and the domain clients. This could cause outages that prevent users from logging on or accessing Windows server resources across multiple hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
1. Interview the ISSO.
2. Obtain a copy of the site's configuration management procedures documentation.
3. Verify that there is a local policy that requires changes to the directory schema to be processed through a configuration management process. This applies to directory schema changes whether implemented in a database or other types of files. For AD, this refers to changes to the AD schema.
4. If there is no policy that requires changes to the directory schema to be processed through a configuration management process, then this is a finding.
Fix Text
Document and implement a policy to ensure that changes to the AD schema are subject to a configuration management process.
CCI Reference
CCI-000366- Created
- 2026-01-14 17:55:45
- Last Updated
- 2026-04-07 20:08:09