Re: hide organizational unit from view in active directory

On Mar 2, 7:00 am, "Al Mulnick" <amulnick_No_S...@xxxxxxxxxxx> wrote:
My take on that is that most people use the idea of hiding accounts, such as
the administrators account, to obtain security through obscurity and often
overlook other areas that make it incredibly easy for an attacker to gain
access. The people that will attack your system know that there is at least
one admin account out there. Knowing the name is not going to be terribly
difficult to find in most environments and even worse, it won't always be
hard to create one if you can't find the exact one you want. All 8 layers
of the stack have to be in sync to prevent that behavior and I've not seen
very many that can say that's the case 100% of the time. If they look,
they'll see the sid out there. What can be done with a sid and a little
c++? :)

Bottom line is that hiding the account provides very little return on the
investment and as you've shown here, it is common for people to shut the
windows but leave the barn door open (giving admin accounts mail boxes
indicates that there are other process related issues to address prior to
hiding the accounts from the readers). I've also seen environments that try
to hide something and then don't remove the service accounts that use them
or don't remove the last logged on user from a machine or ... and the list
goes on for ways to collect that information.

I've been in and out of several different environments and I'm with joe on
this one. I have yet to see a good reason to hide any accounts from
authenticated users. I do have all kinds of good reasons to ensure that I
have good monitoring, auditing, and process though.

FWIW, denying permissions to something in AD is typically discouraged vs.
not granting permissions to something (implied deny) because it has less of
a performance hit.

Al

<vagrantb...@xxxxxxxxx> wrote in message

news:1172799994.478333.66050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On Feb 28, 9:21 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
First admin IDs shouldn't have mailboxes as Admins should be using
normal user accounts for email. Anything else is a huge security no no.

As for hiding the admin accounts, I have yet to have seen a good valid
reason for it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

vagrantb...@xxxxxxxxx wrote:
I want to hide an organizational unit from view so that our helpdesk
person cannot see the objects and properties inside this OU. It would
be detrimental to security if he could see the users and their
associated properties in the OU because it contains all our
administrators. I've read posts similar to this issue/concern, and
people have recommended removing the read properties on the OU from
the "authenticated users" group. When I try this, however, it hides
all the users in this OU from the Global Address Book in exchange.

How can I hide an OU in Active Directory Users and Computers but have
the OU members still show in the Global Address Book?

I understand the security implications of having mailboxes for
administrators. What I don't understand is the comment by Joe
Richards saying there's no valid reason to hide admin accounts in
Active Directory. Why is it not a big issue to allow anyone in the
organization (any authenticated user) with access to Active Directory
Users and Computers to see all the administrator accounts in the
domain with their associated group memberships? Seems to me that
you're just broadcasting to everyone what accounts offer the "keys to
the castle". From a hacking perspective, that seems very insecure.
Can someone enlighten me?- Hide quoted text -

- Show quoted text -

I appreciate your response Al. I am in a fairly small IT shop and I
wear about 100 hats, one of them being Active Directory. Being that
Active Directory is not one of my passions, if you know what I mean, I
must admit that my AD setup has been somewhat ignored. I'm in the
process of rectifying some of my practices, so I'll take your advice
and run with it. If you don't mind, could you point me in the right
direction with good monitoring and auditing processes in AD?

Brad

.

Relevant Pages

  • Re: hide organizational unit from view in active directory
    ... The security of a security principal isn't supposed to be in its identifier, it comes from the authenticator (password/certificate/biometric/etc). ... As for hiding the admin accounts, I have yet to have seen a good valid ... Author of O'Reilly Active Directory Third Editionwww.joeware.net ...
    (microsoft.public.windows.server.active_directory)
  • RE: [fw-wiz] Architecture Q - Public access domain integrated pc s
    ... security within Active Directory, utilizing Group Policy objects. ... the Group Policy editor, there are configurations for user accounts policy, ... there are some good starting points for GPO security at the ...
    (Firewall-Wizards)
  • Re: external server authentication and licensing
    ... It is a booking system so security is an issue. ... Its just really convenient if you already have all these accounts and ... have any trouble with active directory, ...
    (comp.databases.filemaker)
  • How to monitor "domain controllers" without domain admin rights
    ... I manage a fairly large active directory ... environment and I'm trying to lock things down to prevent security breaches, ... I stripped the security of the service accounts we ... My problem is now specifically with DCs. ...
    (microsoft.public.security)
  • Re: KDC error suggestions?
    ... I have followed the steps in the Microsoft Article that you referred to. ... we need to locate the machine accounts that have the ... > 250455 How to Change Display Names of Active Directory Users ... I have the Windows Support Tools installed that some have ...
    (microsoft.public.windows.server.sbs)