Re: hide organizational unit from view in active directory
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Fri, 2 Mar 2007 12:01:32 -0500
Monitoring:
Something like this:
http://www.microsoft.com/mom/workgroup/howtobuy/default.mspx or one of the
other third party products out there.
Auditing:
The 2003 version of best practices is here:
http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx
http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html
General:
http://www.microsoft.com/technet/security/learning/default.mspx
There are plenty of other sites and theories, but I think this would give
you some general background. My only issue with MOM is the cost. I think
it's a great product and the concept is sound (start with the best practices
from the vendor and allow you to make adjustments from there -having used
it, it's value is awesome, but the acquisition price is tough to get
management to bite a lot of the time. I recommend trying to get this
in-house.)
Let me know if you need more or if that doesn't help.
Al
<vagrantbrad@xxxxxxxxx> wrote in message
news:1172852891.082413.292060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 2, 7:00 am, "Al Mulnick" <amulnick_No_S...@xxxxxxxxxxx> wrote:
My take on that is that most people use the idea of hiding accounts, such
as
the administrators account, to obtain security through obscurity and
often
overlook other areas that make it incredibly easy for an attacker to gain
access. The people that will attack your system know that there is at
least
one admin account out there. Knowing the name is not going to be
terribly
difficult to find in most environments and even worse, it won't always be
hard to create one if you can't find the exact one you want. All 8
layers
of the stack have to be in sync to prevent that behavior and I've not
seen
very many that can say that's the case 100% of the time. If they look,
they'll see the sid out there. What can be done with a sid and a little
c++? :)
Bottom line is that hiding the account provides very little return on the
investment and as you've shown here, it is common for people to shut the
windows but leave the barn door open (giving admin accounts mail boxes
indicates that there are other process related issues to address prior to
hiding the accounts from the readers). I've also seen environments that
try
to hide something and then don't remove the service accounts that use
them
or don't remove the last logged on user from a machine or ... and the
list
goes on for ways to collect that information.
I've been in and out of several different environments and I'm with joe
on
this one. I have yet to see a good reason to hide any accounts from
authenticated users. I do have all kinds of good reasons to ensure that I
have good monitoring, auditing, and process though.
FWIW, denying permissions to something in AD is typically discouraged vs.
not granting permissions to something (implied deny) because it has less
of
a performance hit.
Al
<vagrantb...@xxxxxxxxx> wrote in message
news:1172799994.478333.66050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 28, 9:21 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
First admin IDs shouldn't have mailboxes as Admins should be using
normal user accounts for email. Anything else is a huge security no
no.
As for hiding the admin accounts, I have yet to have seen a good valid
reason for it.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
vagrantb...@xxxxxxxxx wrote:
I want to hide an organizational unit from view so that our helpdesk
person cannot see the objects and properties inside this OU. It
would
be detrimental to security if he could see the users and their
associated properties in the OU because it contains all our
administrators. I've read posts similar to this issue/concern, and
people have recommended removing the read properties on the OU from
the "authenticated users" group. When I try this, however, it hides
all the users in this OU from the Global Address Book in exchange.
How can I hide an OU in Active Directory Users and Computers but
have
the OU members still show in the Global Address Book?
I understand the security implications of having mailboxes for
administrators. What I don't understand is the comment by Joe
Richards saying there's no valid reason to hide admin accounts in
Active Directory. Why is it not a big issue to allow anyone in the
organization (any authenticated user) with access to Active Directory
Users and Computers to see all the administrator accounts in the
domain with their associated group memberships? Seems to me that
you're just broadcasting to everyone what accounts offer the "keys to
the castle". From a hacking perspective, that seems very insecure.
Can someone enlighten me?- Hide quoted text -
- Show quoted text -
I appreciate your response Al. I am in a fairly small IT shop and I
wear about 100 hats, one of them being Active Directory. Being that
Active Directory is not one of my passions, if you know what I mean, I
must admit that my AD setup has been somewhat ignored. I'm in the
process of rectifying some of my practices, so I'll take your advice
and run with it. If you don't mind, could you point me in the right
direction with good monitoring and auditing processes in AD?
Brad
.
- References:
- Re: hide organizational unit from view in active directory
- From: Joe Richards [MVP]
- Re: hide organizational unit from view in active directory
- From: vagrantbrad
- Re: hide organizational unit from view in active directory
- From: Al Mulnick
- Re: hide organizational unit from view in active directory
- From: vagrantbrad
- Re: hide organizational unit from view in active directory
- Prev by Date: Re: hide organizational unit from view in active directory
- Next by Date: Re: ADAM wirh SSL
- Previous by thread: Re: hide organizational unit from view in active directory
- Next by thread: Re: hide organizational unit from view in active directory
- Index(es):
Relevant Pages
|
Loading
