Update access to the directory schema must be restricted to appropriate accounts.
An XCCDF Rule
Description
<VulnDiscussion>A failure to control update access to the AD Schema object could result in the creation of invalid directory objects and attributes. Applications that rely on AD could fail as a result of invalid formats and values. The presence of invalid directory objects and attributes could cause failures in Windows AD client functions and improper resource access decisions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>
- ID
- SV-30999r4_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Ensure the access control permissions for the AD Schema object conform to the required permissions as shown below.
Authenticated Users:
Read
Special Permissions
The Special permissions for Authenticated Users are List and Read type. If detailed permissions include any additional Permissions or Properties this is a finding.