Re: The "Lunch Break Hole"

From: Tony Chow (tchow@BLUETENTACLE.COM)
Date: 01/22/02


Date:         Tue, 22 Jan 2002 13:59:21 -0800
From: Tony Chow <tchow@BLUETENTACLE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


> With ADSI, you do not need to be an Administrator or a Domain
> Administrator
> to get all the information about every account on your
> domain. Moreover, if
> you have a connection with another domain, you can also get
> the information
> about any account on this domain... Now, is it a kind of
> vulnerability ?
> Yes, no doubt.

ADSI security is regulated by the ACLs you place on the objects in the
Active Directory. Default permissions allows ordinary users to read
some, but not all, properties of each other's account objects. You can
deny domain-wide access to sensitive accounts by adjusting their ACLs.

That ADSI is accessible to all users is an intended feature, as it
allows everyone to use Active Directory as an information repository.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo