U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Guide to Securing Microsoft Windows 2000 Schema v1.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft Windows Server 2000 cpe:/o:microsoft:windows_2000:-:-:server (View CVEs)

Checklist Highlights

Checklist Name:
Guide to Securing Microsoft Windows 2000 Schema
Checklist ID:
24
Version:
v1.0
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: National Security Agency
Original Publication Date:
03/05/2001

Checklist Summary:

The purpose of this guide is to inform the reader about the available security settings for the Windows 2000 Schema. This guide provides information pertaining to the default security settings protecting the Schema in a network environment, but does not contain step-by-step instructions usually found in the Security Configuration Guide Series. The Schema is guarded by a number of different mechanisms that should not be altered or changed in any way. Because most organizations will be able to use the Schema as-is, only those organizations wishing to alter the schema should be concerned. In short, do not touch the Schema unless you must absolutely do so. In addition to recommending security settings for the Windows 2000 Schema, this guide provides a description and overview of the Schema, as well as discusses its importance.

Checklist Role:

  • Active Directory Server

Known Issues:

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows versions or operating systems. Any effort to modify the Schema should be heavily weighed and well thought out before being implemented, as schema modifications cannot be reversed. Inconsistencies in the Schema can cause significant problems that will impair or disable Active Directory. In order to recover if failure occurs, perform a complete backup of your system if this is not a new installation. Valid changes to the Active Directory Schema may occur when loading third party applications. This is to be expected, as Microsoft made great efforts to enable independent software vendors' access to the power of Active Directory. However, Administrators should be aware when and how third party applications make changes to the Schema. It is imperative the Schema Update Allowed value located in the registry is set back to 0 (disable write-access) after any changes have been made to the Schema.

Target Audience:

This document is intended for Windows 2000 network administrators, but should be read by anyone involved or interested in Windows 2000 or network security.

Target Operational Environment:

  • Managed

Testing Information:

The security configuration guide has been extensively tested in a lab and operational environment.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Prior to implementing any Windows 2000 Schema changes, administrators should perform a complete backup of the system before implementing any of the recommendations in this guide, because any changes made to the system are irreversible.

Disclaimer:

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. Security configuration guides are provided for the Department of Defense and other government agencies requiring security configuration guidelines. The guides contain recommended security settings. They are not intended to replace well-structured policy or sound judgment. The guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. All security changes described in the guides are applicable only to specifically identified operating systems or architecture components and should not be applied to any other operating system or architecture components.

Product Support:

Not provided.

Point of Contact:

SNAC.Guides@nsa.gov

Sponsor:

Not provided.

Licensing:

Refer to the legal statement provided at: http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_schema.pdf

Change History: 

v1.0, 2001-03-06
Updated status to Archive - 10/24/18

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 10/24/2018