Security Basics mailing list archives
RE: Restricting LDAP search permissions in AD2003
From: "Hayes, Ian" <ihayes () nvcancer org>
Date: Wed, 19 Mar 2008 12:26:00 -0700
Unless my memory has gotten that bad, by default the account would have to be at least in the Account Operators group in order to make any modifications to a user object. You can ensure that the account in question has DENY set for any Write operation on user objects at the domain level. Also make sure that any shares you have either have DENY for that user, or you aren't using Everyone, Authenticated Users or Domain Users as the permitted group. -- Ian Hayes Systems Engineer Nevada Cancer Institute Office:(702) 822-5156 email: ihayes () nvcancer org http://www.nevadacancerinstitute.org -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Deasy Sent: Wednesday, March 19, 2008 9:42 AM To: security-basics () securityfocus com Subject: Restricting LDAP search permissions in AD2003 I have had a couple of requests to have some internal intranet apps configured so end-users could login via SSO (authenticating against our AD2003 database.) I'm trying to setup an AD2003 user account, which would be used when configuring the LDAP authentication of the webapp, but I'm a bit concerned that a basic domain-user level account would be able to do more than just query the AD database with an LDAP query. I'm trying to ensure that the useraccount would only be able to check permissions of a security group. Does anyone have (or know of) any recommended access controls for such a user account setup? I want to be sure that this user account cannot be used to modify user account permissions. any suggestions would be much appreciated PaulD -------------------------------------------------------------------------- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential, proprietary, and/or privileged information protected by law. If you are not the intended recipient, you may not use, copy, or distribute this e-mail message or its attachments. If you believe you have received this e-mail message in error, please contact the sender by reply e-mail and destroy all copies of the original message
Current thread:
- Restricting LDAP search permissions in AD2003 Paul Deasy (Mar 19)
- RE: Restricting LDAP search permissions in AD2003 Hayes, Ian (Mar 19)