Re: AdminPak installed by Domain User - can view all tabs and grou
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 16 Feb 2007 09:27:17 -0600
Remember, AD is a DIRECTORY. Directories are typically designed around the
idea of publishing data, not hiding it.
Remember also that normal domain users can query the domain using LDAP with
any LDAP tools they find or write themselves to get the same stuff. They
don't need to install ADUC to see most of the data in the directory.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Flack" <Flack@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3F2DCE97-AC79-41DD-A729-A8D769B5E8F9@xxxxxxxxxxxxxxxx
Thanks all! Yes, some have Admin Privs like some helpdesk people
requiring
it to support customers as well as developers.
Thanks folks! Been a great help.
J-
"Paul Williams [MVP]" wrote:
A regular domain user shouldn't be able to install anything. If they
did,
they probably have local administrative permissions and rights.
Once installed, if a user peruses the directory using the ADUC tool, then
they will have access to all the tabs. They will have read access to
most
of the attributes too. They won't have write access to anything really.
Isn't this a bit of a risk? For someone in the network that wants a
little
bit more info that knows a little something about Admin Pak?
The permissions to read the data isn't a risk. That is the purpose of a
directory service - to allow people to view info.
Is allowing non administrators use of ADUC a risk? Maybe. Matbe not.
If
they don't have the permissions to do anything they can't really do much
but
it is overkill and can also get them thinking about how they might want
to
do something. It also gives them plenty of info. should they wish to
form
an attack. You shouldn't be giving anyone access to that, or any other,
tool if they don't need it. A web based interface that only shows a
subset
of attributes is a good start, e.g. a white pages. Or, a role based
administrative tool such as ARS from Quest, that works as a proxy -it has
permissions over AD and handles delegation via it's own authorisation
system
which is based on roles.
The cool thing about a tool such as a web page, or Outlook's address
list,
is it only returns values that you have permissions to see and doesn't
show
you the underlying structure. You only get relevant info. in an easy to
read and use way.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Re: AdminPak installed by Domain User - can view all tabs and groups.
- From: Paul Williams [MVP]
- Re: AdminPak installed by Domain User - can view all tabs and groups.
- Prev by Date: Re: Security Logging in ADAM
- Next by Date: Re: better way to search for users info in AD
- Previous by thread: Re: AdminPak installed by Domain User - can view all tabs and groups.
- Next by thread: Re: AdminPak installed by Domain User - can view all tabs and groups.
- Index(es):
Relevant Pages
|
