Educause Security Discussion mailing list archives
AD Group membership exposure
From: "Custer, William L. Mr." <custerwl () MUOHIO EDU>
Date: Thu, 19 Jun 2008 16:44:58 -0400
Unlike Novell and and SunOne LDAP, by default Active Directory reveals the to any member of a group, the list of constituents of that group. Thus if you are in a group of Biology majors, you could know the list of all Biology majors. Modifications can be made to AD default parameters to prevent members of a group from knowing the constituents. A possible risk is that applications may not function without the AD defaults. 1. Have other institutions modified this default of AD to protect knowledge of group membership? 2. Would it not be a FERPA violation to reveal information about a student who has opted out of displaying his/her directory information? 3. If one had a group consisting of all attendees of the main campus, would this pose a new risk from a password dictionary attack to your campus? New in the sense that there is no other easy to get the username list.
Current thread:
- AD Group membership exposure Custer, William L. Mr. (Jun 19)
- <Possible follow-ups>
- AD Group membership exposure Custer, William L. Mr. (Jun 19)
- Re: AD Group membership exposure Cal Frye (Jun 20)