5

Today I found DSquery on one of my smb shares at work. I ran it to query users and since my company uses IC numbers as the unique CN, I got to see all my colleagues' ICs.

Firstly, is this considered a vulnerability? and secondly how can this be mitigated? From another question on serverfault there seems to be no sure way to harden the AD in this manner to mitigate against such attacks. Attacker will just need any user account and since this is a smb share on the AD SYSVOL, any windows box connected to the domain can be used to exploit this.

Mike Poole
  • 225
  • 1
  • 2
  • 9
jia chen
  • 149
  • 4

1 Answers1

2

Dsquery is just a tool to query the active directory, it by itself isn't malicious or leaking personal info. What happens is that this tool queries the active directory, which is Microsoft's database to manage windows devices and users in a centralized location. Your IT administrator configured a naming policy, if that naming policy contains private information this is not an issue with the tool or active directory, this is an issue with the security policies in your organization. The active directory is open for query to any standard user. There are a few different use cases and they are there by design: checking file permissions, getting data about emails in outlook and even presenting the right user name when you log in. Assuming this is private info I suggest mitigating by changing the convention, you can use multiple other identifier which aren't private like a distinct naming convention or a different ID number which isn't private.

Jonathan Allon
  • 721
  • 3
  • 14