DSQuery on active directory
From: John Madden (chiwawa999_at_yahoo.com)
Date: 01/27/05
- Previous message: Manuel Sousa: "Domain logon without network connection + group policies"
- Next in thread: Bruce K. Marshall: "Re: DSQuery on active directory"
- Reply: Bruce K. Marshall: "Re: DSQuery on active directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 06:43:42 -0800 (PST) To: focus-ms@securityfocus.com
Windows 2000 and 2003 have added new functionalities,
more precisely, DSQUERY and others like dsmod, dsget
etc..
I'm looking for a way to only allow administrators or
a specific group (Helpdesk) to query the active
directory.
By default, a normal user can:
- List all users with their username
- List all the groups a user belongs to, this includes
admin users
- List all users who are disabled.
- List all users that have been inactive for x amount
of time
- List all users with a password age greater then x
- Etc...
This to me should not be by default. If everyone was
preoccupied by the "NULL SESSION" vulnerability a few
years ago, then this should be right up there with it.
Is there any way to limit who can query what ?
Thank you
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Manuel Sousa: "Domain logon without network connection + group policies"
- Next in thread: Bruce K. Marshall: "Re: DSQuery on active directory"
- Reply: Bruce K. Marshall: "Re: DSQuery on active directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
