Re: LDAP Security
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 27 Jan 2006 08:58:00 -0600
Follow Paul W's advice. AD is well protected but not prefect.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F88B9CF9-E271-4C8B-817E-5453CDF63A36@xxxxxxxxxxxxxxxx
> Hello,
>
> Thanks for your response.
>
> Our Active Directory stores customer user accounts. With default
> permissions, any customer can query our Active Directory and obtain a list
> of
> ALL customers including full name, username, and email address. This
> opens
> the door to spam among other abuses.
>
> This seems like a major security problem. Are you sure there is no
> "clean"
> way to prevent this?
>
> Thanks,
> Scott
>
> "Paul Williams [MVP]" wrote:
>
>> Of course. But it's not recommended. You would have to remove the
>> default
>> permission of Authenticated Users: Read and replace with just your group.
>> When I say this isn't recommended, I really mean it mind. A lot of
>> things
>> take that permission for granted. Afterall, the purpose of a directory
>> is
>> to share information.
>>
>> For example, without read access to containers, GPOs won't process.
>>
>> What is the problem with the default permissions? Users can only read
>> select attributes of objects. They can't write or read sensitive
>> information.
>>
>> --
>> Paul Williams
>> Microsoft MVP - Windows Server - Directory Services
>> http://www.msresource.net | http://forums.msresource.net
>>
>>
>>
.
- Follow-Ups:
- Re: LDAP Security
- From: Scott
- Re: LDAP Security
- References:
- Re: LDAP Security
- From: Paul Williams [MVP]
- Re: LDAP Security
- Prev by Date: Re: Which AD to Restore
- Next by Date: Re: DSGET & DSQUERY Problem
- Previous by thread: Re: LDAP Security
- Next by thread: Re: LDAP Security
- Index(es):
Relevant Pages
|
