Access Denied: Disabling Schema Changes in AD
Disable Active Directory (AD) schema changes to prevent malicious or accidental tampering.
June 17, 2002
Get answers to your security-related Win2K questions
[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!]
How can we disable schema changes in Active Directory (AD)? We have a large AD implementation with many administrators and many domain controllers (DCs), and we want to make it as difficult as possible for someone to maliciously or accidentally change our schema.
Your concern is warranted. You must carefully plan and control any AD schema changes, which are permanent and can wreak havoc on your entire forest if you don't perform them correctly. Microsoft has established several controls that pertain to schema changes.
The first control is that you must be a member of the Schema Admins group, which is a universal group in your forest's root domain, to modify the schema. By default, members of the Administrator group are members of Schema Admins; consider removing the Administrator group from Schema Admins. Who can add members to Schema Admins? Schema Admins' default ACL allows any member of the Enterprise Admins, Domain Admins, or Administrators groups into the forest's root domain. You can delete these groups from the ACL so that administrators can't add themselves to Schema Admins without first granting themselves access to the group.
The next control is the Schema Update Allowed registry value in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters registry subkey. Before you can make changes to a schema on a DC, you must create this value and set it to 1. For added security, set Schema Update Allowed to 0 on all DCs, then delete the access control entry (ACE) in the Parameters subkey ACL that grants Full Control to the Administrators group. You don't have to reboot the DC after creating or changing this value.
Only one DC can accept schema changes at any time. That DC holds the Schema Master Flexible Single-Master Operation (FSMO) role. To determine which DC holds this role, run regsvr32 schmmgmt.dll to register the Microsoft Management Console (MMC) Schema Management snap-in. Then, run mmc.exe and add the Schema Management snap-in to the empty console. Right-click Active Directory Schema, then select Operations Master.
If you've deployed a Security logmonitoring tool such as Symantec's Intruder Alert on your DCs, you can implement a final level of security by configuring object auditing to alert you whenever users add themselves to Schema Admins or change the Schema Update Allowed registry value. Enable auditing of successful set value events on the Parameters subkey and of membership changes to the Schema Admins group. Also configure your monitoring tool to alert you when it encounters either an event ID 660 (which signifies that a new member has joined a universal group) with Schema Admins in the event description or an event ID 560 (which signifies an open object) with SYSTEMCurrentControlSetServicesNTDSParameters in the event description.
About the Author
You May Also Like