Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MS Active Directory and FERPA

From: "Garriga, Manuel" <mgarriga () MIAMI EDU>
Date: Mon, 13 Jun 2005 12:17:20 -0400
I've been wrestling with this issue as well.  We've held back from
populating a semi-sensitive user attribute in our AD because the default
permissions allow "authenticated users" to read a great number of user
attributes, including the one we'd like to populate.  We looked into
modifying the default ACL's on all user objects but we have long-term
performance and support concerns about replacing one "Read All
Properties" DACL with potentially 250+ DACLS on every user object just
to be able to restrict one attribute.
 
Windows 2003 SP1 includes a new function for AD that folks at TechEd are
calling "Confidentiality Flag."  Although I've seen no concrete
information regarding the performance concerns I mentioned with altering
DACL's it seems logical to me that evaluating this setting would be less
resource intensive that the DACL alternative.  You can read a somewhat
vague paragraph on it at the SP1 features page here (look for "Improved
security to protect confidential attributes"):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/bb99fdd4-f8e0-490f-adae-6814cf081ff7.mspx 
 
I was able to successfully test this in our lab's W2K3 SP1 Domain
Controller by using the following much more specific thread as a guide
for altering the schema to protect a user attribute:
http://www.servernewsgroups.net/group/microsoft.public.windows.server.ac
tive_directory/topic136.aspx
 
I'm continuing to experiment with this "Confidentiality Flag" but it
looks like it may be a solution for our issue.  Perhaps it can help with
your concern.
 
Has anybody else come up with another workaround for sensitive
attributes in AD?  If you've gone the DACL modification route and would
like to share your experience?
 
Manuel Garriga 
Network Specialist, University of Miami 
email:mgarriga () miami edu 
ph: 305-284-3993 
 
________________________________

From: Robert Jackson [mailto:rjax () MEMPHIS EDU] 
Sent: Thursday, June 09, 2005 2:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MS Active Directory and FERPA


I am curious what solutions for Microsoft's Active Directory have been
implemented that protects the security and privacy rights of students
under FERPA.  Specifically, which attributes did you provide read access
to or perhaps a more elegant solution was created using some type of
dynamic ACL's.
 
Thanks.
 
Robert Jackson
University of Memphis
Previous By Date Next
Previous By Thread Next

Current thread: