Re: DSQuery on active directory

From: Bruce K. Marshall (bkmlstsgohere_at_comcast.net)
Date: 01/28/05

  • Next message: Ian Turnbull: "Re: Preventing multiple logins in 2003" 
    To: "John Madden" <chiwawa999@yahoo.com>
Date: Thu, 27 Jan 2005 22:42:52 -0600

    First, you could change the permissions on the AD objects to remove read
    access for those attributes from groups whom you don't wish to have access.
    Second you could edit the schema so newly created objects disallow read
    access for those attributes from groups whom you don't wish to have access.
    Third you could cross your fingers and hope that a lot of necessary domain
    and application functionality doesn't break.

    I agree with you that providing some of this information to all domain users
    could lead to targeted attacks. But I'm not convinced that it poses enough
    of a risk to counteract the potential impacts of changing AD permissions.

    If you're set on trying, just make sure you test it out in a lab environment
    first. 

    ----
Bruce K. Marshall - bmarshall@securityps.com - 913-484-7233
Security Professional Services, Inc. - Kansas City
----- Original Message ----- 
From: "John Madden" <chiwawa999@yahoo.com>
To: <focus-ms@securityfocus.com>
Sent: Thursday, January 27, 2005 8:43 AM
Subject: DSQuery on active directory
> Windows 2000 and 2003 have added new functionalities,
> more precisely, DSQUERY and others like dsmod, dsget
> etc..
>
> I'm looking for a way to only allow administrators or
> a specific group (Helpdesk) to query the active
> directory.
>
> By default, a normal user can:
>
> - List all users with their username
> - List all the groups a user belongs to, this includes
> admin users
> - List all users who are disabled.
> - List all users that have been inactive for x amount
> of time
> - List all users with a password age greater then x
> - Etc...
>
> This to me should not be by default. If everyone was
> preoccupied by the "NULL SESSION" vulnerability a few
> years ago, then this should be right up there with it.
>
>
> Is there any way to limit who can query what ?
>
> Thank you 
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Ian Turnbull: "Re: Preventing multiple logins in 2003"

    Relevant Pages

    • Re: restricted user level security
      ... All of my queries and macros are built off the Supervisor name, ... query, the query includes all of the fields and the CurrentUsercriteria. ... I changed the Run Permissions to Owner. ... you can set up user level security. ...
      (microsoft.public.access.security)
    • Re: Cant assign calendar permissions to a group
      ... to be able to use a security group so that I can manage membership of ... By testing I have verified that a resource calendar's permissions can ... integral concept within Active Directory. ... Only individual users can be granted membership. ...
      (microsoft.public.exchange.admin)
    • Re: Object permissions
      ... Who is the owner of the query? ... permissions does the owner have on the underlying tables? ... does the user have on the query; ... to 'owners' in the sql statement each time the code runs, ...
      (microsoft.public.access.security)
    • Re: Advance Security Issue Part II
      ... >> Okay, I've got the dual-mdw thing all straight, now I have a permissions ... >> created a Snapshot query to read that table. ... > because the effects of the WITH OWNER ACCESS ... > does not exist in the current workgroup file. ...
      (microsoft.public.access.security)
    • Re: Renegade Form
      ... the 'owner' and would need permissions on the source tables/queries ... For this query, you can create a RWOP query for each of the underlying ... I do change recordsource but both queries have restricted permissions. ... "Joan Wild" wrote: ...
      (microsoft.public.access.security)
    • Quantcast