First, you could change the permissions on the AD objects to remove read
access for those attributes from groups whom you don't wish to have access.
Second you could edit the schema so newly created objects disallow read
access for those attributes from groups whom you don't wish to have access.
Third you could cross your fingers and hope that a lot of necessary domain
and application functionality doesn't break.
I agree with you that providing some of this information to all domain users
could lead to targeted attacks. But I'm not convinced that it poses enough
of a risk to counteract the potential impacts of changing AD permissions.
If you're set on trying, just make sure you test it out in a lab environment
first.
----
Bruce K. Marshall - bmarshall (at) securityps (dot) com [email concealed] - 913-484-7233
Security Professional Services, Inc. - Kansas City
----- Original Message -----
From: "John Madden" <chiwawa999 (at) yahoo (dot) com [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, January 27, 2005 8:43 AM
Subject: DSQuery on active directory
> Windows 2000 and 2003 have added new functionalities,
> more precisely, DSQUERY and others like dsmod, dsget
> etc..
>
> I'm looking for a way to only allow administrators or
> a specific group (Helpdesk) to query the active
> directory.
>
> By default, a normal user can:
>
> - List all users with their username
> - List all the groups a user belongs to, this includes
> admin users
> - List all users who are disabled.
> - List all users that have been inactive for x amount
> of time
> - List all users with a password age greater then x
> - Etc...
>
> This to me should not be by default. If everyone was
> preoccupied by the "NULL SESSION" vulnerability a few
> years ago, then this should be right up there with it.
>
>
> Is there any way to limit who can query what ?
>
> Thank you
First, you could change the permissions on the AD objects to remove read
access for those attributes from groups whom you don't wish to have access.
Second you could edit the schema so newly created objects disallow read
access for those attributes from groups whom you don't wish to have access.
Third you could cross your fingers and hope that a lot of necessary domain
and application functionality doesn't break.
I agree with you that providing some of this information to all domain users
could lead to targeted attacks. But I'm not convinced that it poses enough
of a risk to counteract the potential impacts of changing AD permissions.
If you're set on trying, just make sure you test it out in a lab environment
first.
----
Bruce K. Marshall - bmarshall (at) securityps (dot) com [email concealed] - 913-484-7233
Security Professional Services, Inc. - Kansas City
----- Original Message -----
From: "John Madden" <chiwawa999 (at) yahoo (dot) com [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, January 27, 2005 8:43 AM
Subject: DSQuery on active directory
> Windows 2000 and 2003 have added new functionalities,
> more precisely, DSQUERY and others like dsmod, dsget
> etc..
>
> I'm looking for a way to only allow administrators or
> a specific group (Helpdesk) to query the active
> directory.
>
> By default, a normal user can:
>
> - List all users with their username
> - List all the groups a user belongs to, this includes
> admin users
> - List all users who are disabled.
> - List all users that have been inactive for x amount
> of time
> - List all users with a password age greater then x
> - Etc...
>
> This to me should not be by default. If everyone was
> preoccupied by the "NULL SESSION" vulnerability a few
> years ago, then this should be right up there with it.
>
>
> Is there any way to limit who can query what ?
>
> Thank you
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]