Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Restricting LDAP search permissions in AD2003

From: "Hayes, Ian" <ihayes () nvcancer org>
Date: Wed, 19 Mar 2008 12:26:00 -0700
Unless my memory has gotten that bad, by default the account would have
to be at least in the Account Operators group in order to make any
modifications to a user object.

You can ensure that the account in question has DENY set for any Write
operation on user objects at the domain level. Also make sure that any
shares you have either have DENY for that user, or you aren't using
Everyone, Authenticated Users or Domain Users as the permitted group.

--
Ian Hayes
Systems Engineer
Nevada Cancer Institute
Office:(702) 822-5156
email: ihayes () nvcancer org
http://www.nevadacancerinstitute.org


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Paul Deasy
Sent: Wednesday, March 19, 2008 9:42 AM
To: security-basics () securityfocus com
Subject: Restricting LDAP search permissions in AD2003

I have had a couple of requests to have some internal intranet apps
configured so end-users could login via SSO (authenticating against
our AD2003 database.)

I'm trying to setup an AD2003 user account, which would be used when
configuring the LDAP authentication of the webapp, but I'm a bit
concerned that a basic domain-user level account would be able to do
more than just query the AD database with an LDAP query. I'm trying to
ensure that the useraccount would only be able to check permissions of
a security group.

Does anyone have (or know of) any recommended access controls for such
a user account setup? I want to be sure that this user account cannot
be used to modify user account permissions.

any suggestions would be much appreciated

PaulD


--------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments, is for the sole use of the intended 
recipient(s) and may contain confidential, proprietary, 
and/or privileged information protected by law. If you are 
not the intended recipient, you may not use, copy, or 
distribute this e-mail message or its attachments. If you 
believe you have received this e-mail message in error, 
please contact the sender by reply e-mail and destroy all 
copies of the original message
Previous By Date Next
Previous By Thread Next

Current thread: