Re: hide organizational unit from view in active directory

My take on that is that most people use the idea of hiding accounts, such as
the administrators account, to obtain security through obscurity and often
overlook other areas that make it incredibly easy for an attacker to gain
access. The people that will attack your system know that there is at least
one admin account out there. Knowing the name is not going to be terribly
difficult to find in most environments and even worse, it won't always be
hard to create one if you can't find the exact one you want. All 8 layers
of the stack have to be in sync to prevent that behavior and I've not seen
very many that can say that's the case 100% of the time. If they look,
they'll see the sid out there. What can be done with a sid and a little
c++? :)

Bottom line is that hiding the account provides very little return on the
investment and as you've shown here, it is common for people to shut the
windows but leave the barn door open (giving admin accounts mail boxes
indicates that there are other process related issues to address prior to
hiding the accounts from the readers). I've also seen environments that try
to hide something and then don't remove the service accounts that use them
or don't remove the last logged on user from a machine or ... and the list
goes on for ways to collect that information.

I've been in and out of several different environments and I'm with joe on
this one. I have yet to see a good reason to hide any accounts from
authenticated users. I do have all kinds of good reasons to ensure that I
have good monitoring, auditing, and process though.

FWIW, denying permissions to something in AD is typically discouraged vs.
not granting permissions to something (implied deny) because it has less of
a performance hit.

Al

<vagrantbrad@xxxxxxxxx> wrote in message
news:1172799994.478333.66050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 28, 9:21 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
First admin IDs shouldn't have mailboxes as Admins should be using
normal user accounts for email. Anything else is a huge security no no.

As for hiding the admin accounts, I have yet to have seen a good valid
reason for it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

vagrantb...@xxxxxxxxx wrote:
I want to hide an organizational unit from view so that our helpdesk
person cannot see the objects and properties inside this OU. It would
be detrimental to security if he could see the users and their
associated properties in the OU because it contains all our
administrators. I've read posts similar to this issue/concern, and
people have recommended removing the read properties on the OU from
the "authenticated users" group. When I try this, however, it hides
all the users in this OU from the Global Address Book in exchange.

How can I hide an OU in Active Directory Users and Computers but have
the OU members still show in the Global Address Book?

I understand the security implications of having mailboxes for
administrators. What I don't understand is the comment by Joe
Richards saying there's no valid reason to hide admin accounts in
Active Directory. Why is it not a big issue to allow anyone in the
organization (any authenticated user) with access to Active Directory
Users and Computers to see all the administrator accounts in the
domain with their associated group memberships? Seems to me that
you're just broadcasting to everyone what accounts offer the "keys to
the castle". From a hacking perspective, that seems very insecure.
Can someone enlighten me?



.

Relevant Pages

  • Re: Integrated security - why not?
    ... Let me explain why we seldom use Integrated Security for Internet asp.net ... how could we setup accounts for them? ... !server to the public network with services such as SQL Server (remember SQL ... The DC at the ISP is not for our own use. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: absolutepoker news
    ... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
    (rec.gambling.poker)
  • Re: absolutepoker news
    ... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
    (rec.gambling.poker)
  • Choosing secure passwords - Feedback solicited
    ... Choosing secure passwords is the most important thing you can do to ... secure your accounts and avoid the headaches of a security breach. ... that will help you remember the PIN. ...
    (comp.security.misc)
  • Re: NEED HELP HERE! Check XP Access Problems Below!
    ... >>Roger Abell ... >>Microsoft MVP (Windows Server System: Security) ... >>>>When attempt to create new accounts, ...
    (microsoft.public.windowsxp.security_admin)