Educause Security Discussion mailing list archives
Re: MS Active Directory and FERPA
From: "Garriga, Manuel" <mgarriga () MIAMI EDU>
Date: Mon, 13 Jun 2005 12:17:20 -0400
I've been wrestling with this issue as well. We've held back from populating a semi-sensitive user attribute in our AD because the default permissions allow "authenticated users" to read a great number of user attributes, including the one we'd like to populate. We looked into modifying the default ACL's on all user objects but we have long-term performance and support concerns about replacing one "Read All Properties" DACL with potentially 250+ DACLS on every user object just to be able to restrict one attribute. Windows 2003 SP1 includes a new function for AD that folks at TechEd are calling "Confidentiality Flag." Although I've seen no concrete information regarding the performance concerns I mentioned with altering DACL's it seems logical to me that evaluating this setting would be less resource intensive that the DACL alternative. You can read a somewhat vague paragraph on it at the SP1 features page here (look for "Improved security to protect confidential attributes"): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/bb99fdd4-f8e0-490f-adae-6814cf081ff7.mspx I was able to successfully test this in our lab's W2K3 SP1 Domain Controller by using the following much more specific thread as a guide for altering the schema to protect a user attribute: http://www.servernewsgroups.net/group/microsoft.public.windows.server.ac tive_directory/topic136.aspx I'm continuing to experiment with this "Confidentiality Flag" but it looks like it may be a solution for our issue. Perhaps it can help with your concern. Has anybody else come up with another workaround for sensitive attributes in AD? If you've gone the DACL modification route and would like to share your experience? Manuel Garriga Network Specialist, University of Miami email:mgarriga () miami edu ph: 305-284-3993 ________________________________ From: Robert Jackson [mailto:rjax () MEMPHIS EDU] Sent: Thursday, June 09, 2005 2:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MS Active Directory and FERPA I am curious what solutions for Microsoft's Active Directory have been implemented that protects the security and privacy rights of students under FERPA. Specifically, which attributes did you provide read access to or perhaps a more elegant solution was created using some type of dynamic ACL's. Thanks. Robert Jackson University of Memphis
Current thread:
- MS Active Directory and FERPA Robert Jackson (Jun 09)
- <Possible follow-ups>
- Re: MS Active Directory and FERPA Garriga, Manuel (Jun 13)
- Re: MS Active Directory and FERPA Bradley Ellis (Jun 13)