Educause Security Discussion mailing list archives
Re: MS Active Directory and FERPA
From: Bradley Ellis <Bradley.Ellis () ITS MONASH EDU AU>
Date: Tue, 14 Jun 2005 16:10:38 +1000
Hi,
I've been wrestling with this issue as well. We've held back from populating a semi-sensitive user attribute in our AD because the default permissions allow "authenticated users" to read a great number of user attributes, including the one we'd like to populate. We looked into modifying the default ACL's on all user objects but we have long-term performance and support concerns about replacing one "Read All Properties" DACL with potentially 250+ DACLS on every user object just to be able to restrict one attribute.
You could go down the "Deny Access" Path - As is MS Land, Deny's take precedence over Allows. Eg. Use the Users Group (or some other custom group) and Deny them read access to the sensitive attribute(s). Any Account that you want to have access to the Sensitive Attribute must not be a member of the Users Group (or other custom group) as the Deny will overwrite the Allow. Hopefully this should also be fairly easy to manage in your account creation procedures and easy to audit. Cheers, Brad. -- Bradley Ellis Senior IT Security Officer, Infrastructure Services Information Technology Services, Monash University - Clayton
Current thread:
- MS Active Directory and FERPA Robert Jackson (Jun 09)
- <Possible follow-ups>
- Re: MS Active Directory and FERPA Garriga, Manuel (Jun 13)
- Re: MS Active Directory and FERPA Bradley Ellis (Jun 13)