As a new AD Admin for our Server 2003 domain it's recently been brought to my attention that any authenticated user can run DSQuery and DSGet on any of our Domain member machines. They can even run it from a USB drive. I need to configure Active Directory to restrict DSQuery and DSGet to specific security groups but so far haven't found even a hint of that possibility. Any ideas?
Asked
Active
Viewed 1,916 times
2
-
1You're going to have a hard row to hoe trying to "break" the default behaviour / permissions in AD to accomplish what you're trying to do. You can't stop the users from running programs that can query AD (any LDAP client), so you're going to have to go the route busting up the default permissions which will likely leave you with users who can't logon and PCs that don't "act" properly w/ respect to AD client operations. – Evan Anderson Feb 05 '10 at 05:08
-
Thanks, Evan. Our AD profiles are fairly fully populated and there had been a concern by some faculty (we are a 4-year university) with regards to students querying that info from AD. I'm new to top-level AD administration and, although it didn't seem like a feasible goal, told them I'd at least give it a shot. – Drew Perry Feb 07 '10 at 13:39
1 Answers
2
What are you trying to accomplish with restricting them in this way? Every user in AD needs to have read access to the AD so that it can do look ups and get needed authentication and authorization information.
If you are really just concerned about limiting those two programs (which wouldn't prevent them from using something else that reads info from LDAP) you could prevent the use of these programs through a GPO. (User Configuration -> Admin Templates -> System -> Policy -> Don't run specified Windows Applications).
This really sounds like trying to do security by obscurity ... which is just not worth it.
Zypher
- 36,995
- 5
- 52
- 95
-
+1 - Security through obscurity isn't security-- it's worse than nothing, actually, because it gives a false sense of security. – Evan Anderson Feb 05 '10 at 05:07
-
I completely disagree with Evan's comment. Security through obscurity on its own may be worse than nothing but I, and the global technology security community at large, believe in multi-layer security. The term "security through obscurity" has received a negative stigma (mostly in first year IS Security classrooms) when in fact it can be a valid piece of an overall security plan. Having a very secure lock on your door is great. But in addition to that, not showing burglars the keyhole is even better. However, independent of his last sentence (not worth it), Zypher answered my question. Thanks. – Drew Perry Feb 07 '10 at 13:34