Windows 2000 and 2003 have added new functionalities,
more precisely, DSQUERY and others like dsmod, dsget
etc..
I'm looking for a way to only allow administrators or
a specific group (Helpdesk) to query the active
directory.
By default, a normal user can:
- List all users with their username
- List all the groups a user belongs to, this includes
admin users
- List all users who are disabled.
- List all users that have been inactive for x amount
of time
- List all users with a password age greater then x
- Etc...
This to me should not be by default. If everyone was
preoccupied by the "NULL SESSION" vulnerability a few
years ago, then this should be right up there with it.
Is there any way to limit who can query what ?
Thank you
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
more precisely, DSQUERY and others like dsmod, dsget
etc..
I'm looking for a way to only allow administrators or
a specific group (Helpdesk) to query the active
directory.
By default, a normal user can:
- List all users with their username
- List all the groups a user belongs to, this includes
admin users
- List all users who are disabled.
- List all users that have been inactive for x amount
of time
- List all users with a password age greater then x
- Etc...
This to me should not be by default. If everyone was
preoccupied by the "NULL SESSION" vulnerability a few
years ago, then this should be right up there with it.
Is there any way to limit who can query what ?
Thank you
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]