Re: Active Directory Security

Dear Paul,

Thanks for the reply. I understand that users can only see the objects in
active directory. They can see the members of the domain admin, Enterprise
Admin. Anyone can lock all the admin account by putting the wrong password.
This is one of the security threat which I have mentioned there are many
things that a user can do if they can see the objects in the AD.

We are basically looking for some guideline which can be used for securing
the Active Directory structure.

Thanks and Regards,
Sukhwinder Singh


"Paul Bergson" wrote:

Just because you can see the money in a bank, doesn't mean you can steal it.
There is plenty of security in place to protect your assets in AD. Users
can read objects but they can't manipulate them, this shouldn't be any cause
for concern.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:38383C59-3BF7-48D7-9782-8B4253F5332E@xxxxxxxxxxxxxxxx
Dear All,

I have a question regarding the Active Directory Security. In our
organisation we have a Single forest Single Domain architecture. To reduce
the foot-prints on the Domain controllers we have installed adminpaks in
our
Windows Xp computers and do the administration from there.
But my concern is that if anyone in my organisation install adminpak
he/she
will be able to see all the objects in my Domain which is very big
security
threat because anyone can see the objects from my domain.
Also we have created OU's as per divisions in organisation and given the
access to local divisional teams on their division OU. now they can see
all
the OU's and objects but can modify objects in their OU only.
Is there a way that users can see only the portion of AD on which they
have
access and other users should not be able to see anything.

Also please let me know the best practises for securing the active
directory
structure.

.

Relevant Pages

  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grant Administrative Access to a Domain Controller
    ... MPerrault suggested security, you said "IT CAN BE DONE WITHOUT ANY FANCY ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... Controller Security Policy are also options to log on as a service, ...
    (microsoft.public.windows.server.active_directory)
  • [NT] Active Directory Stack Overflow
    ... Beyond Security in Canada ... Active Directory, which is an essential component of the Windows 2000 ... A vulnerability in Active Directory allows an attacker to crash and force ... The vulnerability can be triggered when an LDAP version 3 search request ...
    (Securiteam)
  • RE: LDAP + Active Directory
    ... Subject: LDAP + Active Directory ... current article series on Sfocus (An Audit of Active Directory Security)... ... that security in AD can get ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Read only Admin privileges for Active Directory environment?
    ... the Security log as well, ... 'Read only' Admin privileges for Active Directory environment? ... Our InfoSec team has requested Domain Admin privileges ... Our program offers unparalleled Infosec management ...
    (Security-Basics)
Quantcast